[arch-releng] [PATCH 1/1] use a stronger hashing algorithm
From: Christian Hesse <mail@eworm.de> Nobody wants to use md5 these days... Signed-off-by: Christian Hesse <mail@eworm.de> --- archiso/initcpio/hooks/archiso | 6 +++--- archiso/initcpio/hooks/archiso_pxe_http | 2 +- archiso/mkarchiso | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/archiso/initcpio/hooks/archiso b/archiso/initcpio/hooks/archiso index b78f4db..753e3da 100644 --- a/archiso/initcpio/hooks/archiso +++ b/archiso/initcpio/hooks/archiso @@ -99,7 +99,7 @@ _mnt_dev() { _verify_checksum() { local _status cd "/run/archiso/bootmnt/${archisobasedir}/${arch}" - md5sum -c airootfs.md5 > /tmp/checksum.log 2>&1 + sha512sum -c airootfs.sha512 > /tmp/checksum.log 2>&1 _status=$? cd "${OLDPWD}" return ${_status} @@ -153,7 +153,7 @@ archiso_mount_handler() { fi if [[ "${checksum}" == "y" ]]; then - if [[ -f "/run/archiso/bootmnt/${archisobasedir}/${arch}/airootfs.md5" ]]; then + if [[ -f "/run/archiso/bootmnt/${archisobasedir}/${arch}/airootfs.sha512" ]]; then msg -n ":: Self-test requested, please wait..." if _verify_checksum; then msg "done. Checksum is OK, continue booting." @@ -163,7 +163,7 @@ archiso_mount_handler() { launch_interactive_shell fi else - echo "ERROR: checksum=y option specified but ${archisobasedir}/${arch}/airootfs.md5 not found" + echo "ERROR: checksum=y option specified but ${archisobasedir}/${arch}/airootfs.sha512 not found" launch_interactive_shell fi fi diff --git a/archiso/initcpio/hooks/archiso_pxe_http b/archiso/initcpio/hooks/archiso_pxe_http index 54af7c5..a7c03a8 100644 --- a/archiso/initcpio/hooks/archiso_pxe_http +++ b/archiso/initcpio/hooks/archiso_pxe_http @@ -41,7 +41,7 @@ archiso_pxe_http_mount_handler () { _curl_get "${archiso_http_srv}${archisobasedir}/${arch}/airootfs.sfs" "/${arch}" if [[ "${checksum}" == "y" ]]; then - _curl_get "${archiso_http_srv}${archisobasedir}/${arch}/airootfs.md5" "/${arch}" + _curl_get "${archiso_http_srv}${archisobasedir}/${arch}/airootfs.sha512" "/${arch}" fi if [[ "${verify}" == "y" ]]; then _curl_get "${archiso_http_srv}${archisobasedir}/${arch}/airootfs.sfs.sig" "/${arch}" diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 0aca521..9c3a835 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -249,7 +249,7 @@ _mkairootfs_sfs () { _mkchecksum () { _msg_info "Creating checksum file for self-test..." cd "${work_dir}/iso/${install_dir}/${arch}" - md5sum airootfs.sfs > airootfs.md5 + sha512sum airootfs.sfs > airootfs.sha512 cd ${OLDPWD} _msg_info "Done!" }
The only purpose of this is as checksum, like an "enhanced crc", in any case I will apply it. I know you know, just for clarify for anyone who read this. Thanks. El 16/10/17 a las 04:12, Christian Hesse escribió:
From: Christian Hesse <mail@eworm.de>
Nobody wants to use md5 these days...
Signed-off-by: Christian Hesse <mail@eworm.de> --- archiso/initcpio/hooks/archiso | 6 +++--- archiso/initcpio/hooks/archiso_pxe_http | 2 +- archiso/mkarchiso | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/archiso/initcpio/hooks/archiso b/archiso/initcpio/hooks/archiso index b78f4db..753e3da 100644 --- a/archiso/initcpio/hooks/archiso +++ b/archiso/initcpio/hooks/archiso @@ -99,7 +99,7 @@ _mnt_dev() { _verify_checksum() { local _status cd "/run/archiso/bootmnt/${archisobasedir}/${arch}" - md5sum -c airootfs.md5 > /tmp/checksum.log 2>&1 + sha512sum -c airootfs.sha512 > /tmp/checksum.log 2>&1 _status=$? cd "${OLDPWD}" return ${_status} @@ -153,7 +153,7 @@ archiso_mount_handler() { fi
if [[ "${checksum}" == "y" ]]; then - if [[ -f "/run/archiso/bootmnt/${archisobasedir}/${arch}/airootfs.md5" ]]; then + if [[ -f "/run/archiso/bootmnt/${archisobasedir}/${arch}/airootfs.sha512" ]]; then msg -n ":: Self-test requested, please wait..." if _verify_checksum; then msg "done. Checksum is OK, continue booting." @@ -163,7 +163,7 @@ archiso_mount_handler() { launch_interactive_shell fi else - echo "ERROR: checksum=y option specified but ${archisobasedir}/${arch}/airootfs.md5 not found" + echo "ERROR: checksum=y option specified but ${archisobasedir}/${arch}/airootfs.sha512 not found" launch_interactive_shell fi fi diff --git a/archiso/initcpio/hooks/archiso_pxe_http b/archiso/initcpio/hooks/archiso_pxe_http index 54af7c5..a7c03a8 100644 --- a/archiso/initcpio/hooks/archiso_pxe_http +++ b/archiso/initcpio/hooks/archiso_pxe_http @@ -41,7 +41,7 @@ archiso_pxe_http_mount_handler () { _curl_get "${archiso_http_srv}${archisobasedir}/${arch}/airootfs.sfs" "/${arch}"
if [[ "${checksum}" == "y" ]]; then - _curl_get "${archiso_http_srv}${archisobasedir}/${arch}/airootfs.md5" "/${arch}" + _curl_get "${archiso_http_srv}${archisobasedir}/${arch}/airootfs.sha512" "/${arch}" fi if [[ "${verify}" == "y" ]]; then _curl_get "${archiso_http_srv}${archisobasedir}/${arch}/airootfs.sfs.sig" "/${arch}" diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 0aca521..9c3a835 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -249,7 +249,7 @@ _mkairootfs_sfs () { _mkchecksum () { _msg_info "Creating checksum file for self-test..." cd "${work_dir}/iso/${install_dir}/${arch}" - md5sum airootfs.sfs > airootfs.md5 + sha512sum airootfs.sfs > airootfs.sha512 cd ${OLDPWD} _msg_info "Done!" }
Gerardo Exequiel Pozzi via arch-releng <arch-releng@archlinux.org> on Mon, 2017/10/16 15:50:
The only purpose of this is as checksum, like an "enhanced crc", in any case I will apply it. I know you know, just for clarify for anyone who read this.
Adding another note... Whoever wants to be sure should use verification with gpg signature (boot option 'verify'). Though even that is not secure - it checks for a valid signature, but not for a trusted key. Nevertheless we should drop md5 - especially if it is an easy task. -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];) putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}
participants (2)
-
Christian Hesse
-
Gerardo Exequiel Pozzi