Ubuntu
casper package

use something better than md5sum to verify image contents

Bug #1897930 reported by fossfreedom
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
casper (Ubuntu)
Opinion
Low
Unassigned

Bug Description

Apologies if this is the wrong package to report against.

When booting an ISO the check to verify the ISO integrity is run.

Pressing escape from the plymouth screen I note that md5sum is reported to be used to verify the contents.

Suggest sha256 in the future especially as sha256 is now used when publishing the ISO.

ProblemType: Bug
DistroRelease: Ubuntu 20.10
Package: casper 1.452
ProcVersionSignature: Ubuntu 5.8.0-20.21-generic 5.8.10
Uname: Linux 5.8.0-20-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu48
Architecture: amd64
CasperMD5CheckResult: pass
CasperVersion: 1.452
CurrentDesktop: Budgie:GNOME
Date: Wed Sep 30 15:58:38 2020
LiveMediaBuild: Ubuntu-Budgie 20.10 "Groovy Gorilla" - Beta amd64 (20200930)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: casper
UpgradeStatus: No upgrade log present (probably fresh install)
mtime.conffile..etc.casper.conf: 2020-09-30T15:48:57.324000

Revision history for this message
fossfreedom (fossfreedom) wrote :
Revision history for this message
Ubuntu QA Website (ubuntuqa) wrote :

This bug has been reported on the Ubuntu ISO testing tracker.

A list of all reports related to this bug can be found here:
http://iso.qa.ubuntu.com/qatracker/reports/bugs/1897930

tags: added: iso-testing
Brian Murray (brian-murray)
Changed in casper (Ubuntu):
importance: Undecided → Low
summary: - Using md5sum to verify each ISO package
+ use something better than md5sum to verify image contents
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

this is not meant to be cryptographic authenticity check.

it's meant to be a quick check against media corruption.

for authenticity checks we do publish sha256sum of the .iso, gpg sign the package pool, and gpg sign filesystem.squashfs for when booting over the network.

md5sum is fastest CRC like function. If there is anything faster we would use that. I.e. we might use blake3 instead. But not sha256 it's very slow.

Changed in casper (Ubuntu):
status: New → Opinion
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.