[arch-general] Packages Verified with MD5

Jelle van der Waa jelle at vdwaa.nl
Sun Jan 12 04:21:26 EST 2014

On 01/11/14 at 11:09pm, Taylor Hornby wrote:
> I noticed that the TrueCrypt package is downloaded over an insecure FTP
> connection and then only verified using MD5 hashes.
> https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/truecrypt
> There are practical collision attacks against MD5. This means an
> adversary (e.g. the NSA) can construct two versions of the truecrypt
> binaries, one malicious and one not, which have the same MD5 hash. They
> can silently replace the file being downloaded with the malicious
> version and the change will not be detected.
> This should be fixed to use SHA256 hashes, like the Firefox package:
> https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/firefox
> How can I help make it use SHA256 instead of MD5? I'm relatively new to
> arch, so I'm not familiar with what it takes to change something in the
> repos. Any advice would be appreciated.
> Are there other packages still being verified with MD5? Can we fix them
> too? I'll gladly donate my time if it's not something that can be automated.
> Thanks,
> -- 
> Taylor Hornby
> p.s. This might be better suited to arch-dev-public, but I think users
> should be informed of the vulnerability, so I decided on arch-general.

SHA256 hashes won't fix anything, since hashes are only integritiy checks telling you the downloaded file isn't corrupt.

Signatures however are made to verify that the content isn't modified on
the server, which as you can see is used in the PKGBUILD. [1]

The maintainer also says in his PKGBUILD that the download method used
by truecrypt isn't compatible with makepkg [2]

[1] http://www.truecrypt.org/docs/digital-signatures
[2] https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/truecrypt

Jelle van der Waa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20140112/4d78ace0/attachment.asc>

More information about the arch-general mailing list