Bug 777440

Summary: please provide secure checksums/hashes for DVD images and RPM headers.
Product: [openSUSE] openSUSE 12.2 Reporter: Elmar Stellnberger <estellnb>
Component: BasesystemAssignee: E-mail List <bnc-team-screening>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: meissner
Version: RC 2   
Target Milestone: ---   
Hardware: All   
OS: openSUSE 12.2   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Elmar Stellnberger 2012-08-27 09:01:49 UTC 
User-Agent:       Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20100101 Firefox/14.0.1

 The DVD-isos still lack secure checksums (SHA-256/512):
 MD5 is cracked since 2004 and even against SHA alledged attacks are possible (http://www.schneier.com/blog/archives/2005/02/sha1_broken.html). My wish would be to use the strongest available algorithm: SHA-512. You can keep the MD5s to verify against download errors and additionally provide SHA-512s for security checking against birthday attacks.
 It would also be very kind to have secure checksums for the files in the RPM header.

Reproducible: Always
Comment 1 Marcus Meissner 2012-08-27 15:52:13 UTC 
where do you see the incorrect checksums?


FWIW, RPM headers are already signed using SHA256 in the gpg mode.

rpm -v -v --checksig /mounts/dist/install/SLP/openSUSE-12.2-LATEST/x86_64/DVD1/suse/x86_64/wine-1.5.6-1.1.x86_64.rpm
/mounts/dist/install/SLP/openSUSE-12.2-LATEST/x86_64/DVD1/suse/x86_64/wine-1.5.6-1.1.x86_64.rpm:
    Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
    Header SHA1 digest: OK (5d7616b72382b83ba06c88088e8660c54e70d865)
    V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
    MD5 digest: OK (a2773e543e56a882463d955b161f74e1)
Comment 2 Marcus Meissner 2012-08-27 15:53:22 UTC 
DVD /content
META SHA256 1742e977c36d5a90d1b0ddbe0a2cc65600c87cd9c8f3e963ffc17e583548c1ff  app-icons.tar.gz
META SHA256 fb60763e316ebf2c6c9de80ba30e5e75f23b994e0afa50775eb41e089576c254  appdata.xml.gz
META SHA256 6920e207052a74c37af135fb6b7c00228233a930a4905baaad614fb7e9e0ac2d  dvd-12.2-4.1.x86_64.pat.gz
META SHA256 5e10f2a92076e5176ef7ee6757b1788890e815c29dbc0b170da8c7a2f404d7d9  packages.DU.gz
META SHA256 6df92427c629dd6822c0b360305d738db8dc8bac19396c60f7001c3513d5480a  packages.FL.gz
META SHA256 58c959320f1f208146d87b6e1fad9714dac40f6e6fac2162b0ce6ba529fab13e  packages.cs.gz
META SHA256 3b99b0d62006ae234982eb51d25809f21b21ba5fa0f371a66473d7aafe42b691  packages.de.gz
...
Comment 3 Elmar Stellnberger 2012-09-06 17:54:47 UTC 
Resolved for the release. isoxx.sha256-Files are here (Sorry for me not looking at the rpm headers first).