Changeset 6333296

07/22/2021 11:59:42 AM (23 months ago)
Xi Ruoyao <xry111@…>
11.0, 11.1, 11.2, 11.3, ken/inkscape-core-mods, lazarus, plabs/python-mods, qt5new, trunk, upgradedb, xry111/intltool, xry111/soup3, xry111/test-20220226

building notes: stop to use MD5 for genuity verification, ...

use SHA256 or GnuPG instead.

1 edited


  • introduction/important/building-notes.xml

    rf70acb8 r6333296  
    9292  <sect2>
    93     <title>Verifying File Integrity Using 'md5sum'</title>
    95     <para>Generally, to verify that the downloaded file is genuine and complete,
     93    <title>Verifying File Integrity</title>
     95    <para>Generally, to verify that the downloaded file is complete,
    9696    many package maintainers also distribute md5sums of the files. To verify the
    9797    md5sum of the downloaded files, download both the file and the
    112112<screen><userinput>md5sum <replaceable>&lt;name_of_downloaded_file&gt;</replaceable></userinput></screen>
     114    <para>MD5 is not cryptographically secure, so the md5sums are only
     115    provided for detecting random errors or truncations introduced during
     116    network transfer.  There is no <quote>100%</quote> secure way to make
     117    sure the genuity of the source files.  Assuming the upstream is managing
     118    their website correctly (the private key is not leaked and the domain is
     119    not hijacked), and the trust anchors have been set up correctly using
     120    <xref linkend="make-ca"/> on the BLFS system, we can reasonably trust
     121    download URLs to the upstream official website
     122    <emphasis role="bold">with https protocol</emphasis>.  Note that
     123    BLFS book itself is published on a website with https, so you should
     124    already have some confidence in https protocol or you wouldn't trust the
     125    book content.</para>
     127    <para>If the package is downloaded from an unofficial location (for
     128    example a local mirror), checksums generated by cryptographically secure
     129    digest algorithms (for example SHA256) can be used to verify the
     130    genuity of the package.  Download the checksum file from the upstream
     131    <emphasis role="bold">official</emphasis> website (or somewhere
     132    <emphasis role="bold">you can trust</emphasis>) and compare the
     133    checksum of the package from unoffical location with it.  For example,
     134    SHA256 checksum can be checked with the command:</para>
     136    <note>
     137      <para>If the checksum and the package are downloaded from the same
     138      untrusted location, you won't gain security enhancement by verifying
     139      the package with the checksum. The attacker can fake the checksum as
     140      well as compromising the package itself.</para>
     141    </note>
     143<screen><userinput>sha256sum -c <replaceable>file</replaceable>.sha256sum</userinput></screen>
     145    <para>If <xref linkend="gnupg2"/> is installed, you can also verify the
     146    genuity of the package with a GPG signature.  Import the upstream GPG
     147    public key with:</para>
     149<screen><userinput>gpg --recv-key <replaceable>keyID</replaceable></userinput></screen>
     151    <para><replaceable>keyID</replaceable> should be replaced with the key ID
     152    from somewhere <emphasis role="bold">you can trust</emphasis> (for
     153    example, copy it from the upstream official website using https).  Now
     154    you can verify the signature with:</para>
     156<screen><userinput>gpg --recv-key <replaceable>file</replaceable>.sig <replaceable>file</replaceable></userinput></screen>
     158    <para>The advantage of <application>GnuPG</application> signature is,
     159    once you imported a public key which can be trusted, you can download
     160    both the package and its signature from the same unofficial location and
     161    verify them with the public key.  So you won't need to connect to the
     162    official upstream website to retrieve a checksum for each new release.
     163    You only need to update the public key if it's expired or revoked.
     164    </para>
    114166  </sect2>
Note: See TracChangeset for help on using the changeset viewer.