498570 – x86 Installation: ISO image checksum verification shows false negatives

Bug 498570 - x86 Installation: ISO image checksum verification shows false negatives

Summary: x86 Installation: ISO image checksum verification shows false negatives

Status:	RESOLVED FIXED

Alias:	None

Product:	[OLD] Docs on www.gentoo.org
Classification:	Unclassified
Component:	Installation Handbook (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Sven Vermeulen (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-01-19 14:32 UTC by Joe Breuer
Modified:	2014-01-23 19:39 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Joe Breuer 2014-01-19 14:32:01 UTC

The current .DIGESTS file for the x86 minimal ISO image contains both SHA512 and WHIRLPOOL hashes.

The sha512sum utility out of sys-apps/coreutils-8.21 reacts to this as follows:

$ sha512sum -c install-x86-minimal-20131224.iso.DIGESTS
install-x86-minimal-20131224.iso: OK
install-x86-minimal-20131224.iso: FAILED
install-x86-minimal-20131224.iso.CONTENTS: OK
install-x86-minimal-20131224.iso.CONTENTS: FAILED
sha512sum: WARNING: 2 computed checksums did NOT match

$ echo $? # show exit code
1 # failed


With the appropriate background, it is fairly obvious - looking at the DIGESTS file - that the FAILED checksums are the Whirlpool ones:

===== DIGESTS file =====
# SHA512 HASH
609b2f933234f0a75ec6d518b84388e75e0c5af6f5bf9a018455ebbdc776ca45b6bd2b4c90f32551facd1a03c4282c1b84776e781daff0a72e7b0b83979d6f91  install-x86-minimal-20131224.iso
# WHIRLPOOL HASH
a9b53a4067d0b1bc8b14d30e7a9659999a668ee0203ddc71153773a4434318bea8e971f5778e37413d91bc36cd0da3740d7fb561ee5da0f8a6b049ef486503ea  install-x86-minimal-20131224.iso
# SHA512 HASH
47b9a79b8db81595575f37c0671f43b47a341114b443c864f675eec590fcf30972eb38124a0466b444f4fdc5f8a34a63cfe81198088989f059eaba9037eb7a32  install-x86-minimal-20131224.iso.CONTENTS
# WHIRLPOOL HASH
c27492e6e9919f9d4cafbbe5e5f83cc0bceaffd75120670c4fa5822a742fba2100ab6dd7e0c1555ee07e22ceb37eaa25b278fcf104b233e833b7070c5a647b5a  install-x86-minimal-20131224.iso.CONTENTS
========================


But an uninitiated user might not understand this and assume a failed checksum.


I suggest that either:

a) Preferably there are separate checksum files for different types of checksums, so that e.g. 'sha512sum -c install-x86-minimal-20131224.iso.DIGESTS.SHA512' would only verify the SHA512 checksums and give an unambiguously affirmative result.

b) If available, a checksum verification tool instead of sha512sum is suggested that is able to parse the hash type comments and verifies accordingly, yielding an unambiguous result.

c) The situation is described in the documentation. I do not see a really good way to describe this while keeping it simple - can/should we assume knowledge about typical record-style text file formats at this point...?

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2014-01-23 19:39:59 UTC

Indeed.

For now, I've added in a note that the tool will attempt to verify multiple checksums even when generated with different algorithms. It's not perfect, but it is the fastest and most correct solution I can provide for now.

Creating different files has more impact and will take much longer, /if/ it would be done at all.

With respect to the tool - some tools support prepending a hash with the used algorithm, like so:

{SHA512}7da2a4c04707ef64f0d3933...


However, the tools currently supported in the instructions do not allow this.