386475 – handbook should direct users to validate SHA512/WHIRLPOOL checksums, not MD5.

Bug 386475 - handbook should direct users to validate SHA512/WHIRLPOOL checksums, not MD5.

Summary: handbook should direct users to validate SHA512/WHIRLPOOL checksums, not MD5.

Status:	RESOLVED FIXED

Alias:	None

Product:	[OLD] Docs on www.gentoo.org
Classification:	Unclassified
Component:	Installation Handbook (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Sven Vermeulen (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-10-08 23:57 UTC by Robin Johnson
Modified:	2012-10-06 19:49 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robin Johnson archtester

2011-10-08 23:57:58 UTC

All of the docs about stages document only MD5 checksums:
http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=5

Please update the documentation to tell users to check SHA512/WHIRLPOOL instead.

Comment 1 nm (RETIRED) gentoo-dev

2011-10-09 00:38:49 UTC

And what's the command to do that?

Comment 2 Robin Johnson archtester

2011-10-09 05:14:29 UTC

SHA512:
sha512sum
openssl dgst -r -sha512

WHIRLPOOL:
openssl dgst -r -whirlpool 

Compare output with the .DIGESTS

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2011-10-09 09:26:55 UTC

Hrmpf, can't find the package list for our installation media. Can we put that somewhere on the releng page?

In any case, do our installation media contain openssl?

Comment 4 Sven Vermeulen (RETIRED) gentoo-dev

2011-10-09 09:53:22 UTC

Err, I just downloaded the install-amd64-minimal-20111006.iso.DIGESTS file and it only contains MD5 and SHA1 hashes. Same for stage3-amd64-20111006.tar.bz2.DIGESTS

Also, the hardened stages haven't been updated in a long while, so the moment the DIGESTS files differ, then we have an incompatibility for hardened installations.

Comment 5 Robin Johnson archtester

2011-10-09 19:27:47 UTC

It's been changed in the catalyst sources, so stages with the new hashes are going to start showing up with it in the next few weeks. The configuration is explicitly set to include MD5+SHA1 in addition to the newer hashes until such time as the handbook has been updated to tell users to check whichever one is actually in there.

Comment 6 Sven Vermeulen (RETIRED) gentoo-dev

2011-10-10 18:56:05 UTC

Thanks; I'll keep an eye out on the autobuilds and the moment I get one with the other hashes, I'll see to it that the documents are updated asap.

Comment 7 Sven Vermeulen (RETIRED) gentoo-dev

2011-12-26 15:07:03 UTC

I'm still only seeing the MD5 and SHA1 hashes in the .DIGESTS file. Any ETA when the new hashes will occur?

Comment 8 Ben Kohler gentoo-dev

2012-10-06 17:54:20 UTC

This has been changed some time between 20120710 and 20120911 x86 stage3 tarballs.  Current stage3 tarballs (on amd64 and x86 at least) have only SHA512 & WHIRLPOOL, time to update docs I think:

# cat stage3-i686-20120911.tar.bz2.DIGESTS

# SHA512 HASH
59593f5cfb5414dd176c13ac848e8e71d839c2425ea4e580a532fdba078fe4071d63e32cfbf847ab0c5b317283519c218f2c54842ea0ab8f3345b099b083aaed  stage3-i686-20120911.tar.bz2
# WHIRLPOOL HASH
799d6125c49d1b1017403cb066c252a7503e1374bf5757a2e9c1ae30f06b356f3a4ac6c8322e4e0fe4a8665cfa3aea4a5def7715ab6bfd13bb3a2cc8b67e7ba8  stage3-i686-20120911.tar.bz2
# SHA512 HASH
a4cfddfeaa38f86576b3b7fd68c05cf0e32cdb5e4137c38f3affda0faca8b08447b650d0f5b3e1874fe4073bf1d089ddb8b446cbc679e01c884e6921260c7bc1  stage3-i686-20120911.tar.bz2.CONTENTS
# WHIRLPOOL HASH
93f419f1eb48c172c0c8e9996eb432ce3b7e7fd827c36c11b44607712b51a75d22dcda5f215ce9b7afe2193e75d02c09b3884b6e90077e5d0dd36688c6ccfc69  stage3-i686-20120911.tar.bz2.CONTENTS

Comment 9 Sven Vermeulen (RETIRED) gentoo-dev

2012-10-06 19:49:44 UTC

Finally ;-)

Documentation is updated for all arch's except MIPS, which still seems to use MD5SUM and SHA1.