You are not logged in.

#1 2022-03-03 11:35:10

dead101
Member
Registered: 2021-12-07
Posts: 21

Why does Arch uses md5 and sha1 algorithms as checksum?

As the Arch Linux download page shows, it uses md5 and sha1 checksums. Yet, researchers have found collisions in the md5 and sha1 algorithms. So my question is why does Arch Linux still use md5 and sha1 even there are collisions and why not sha256.

Last edited by dead101 (2022-03-03 11:35:57)

Offline

#2 2022-03-03 11:39:04

WorMzy
Administrator
From: Scotland
Registered: 2010-06-16
Posts: 13,028
Website

Re: Why does Arch uses md5 and sha1 algorithms as checksum?

Because you should use the PGP signature to check validity, the checksums are only used to check integrity.


Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

Offline

#3 2022-03-03 11:42:05

dead101
Member
Registered: 2021-12-07
Posts: 21

Re: Why does Arch uses md5 and sha1 algorithms as checksum?

WorMzy wrote:

Because you should use the PGP signature to check validity, the checksums are only used to check integrity.

Can you please elaborate?

Offline

#4 2022-03-03 11:47:23

WorMzy
Administrator
From: Scotland
Registered: 2010-06-16
Posts: 13,028
Website

Re: Why does Arch uses md5 and sha1 algorithms as checksum?

If a malicious actor did manage to replace the iso file with a file that had the same md5 and/or sha1 fingerprint, the file would not pass the PGP signature check.

https://wiki.archlinux.org/title/Instal … _signature


Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

Offline

#5 2022-03-03 12:47:51

dead101
Member
Registered: 2021-12-07
Posts: 21

Re: Why does Arch uses md5 and sha1 algorithms as checksum?

WorMzy wrote:

the file would not pass the PGP signature check.

Wait what's it with PGP? Isn't this command check checksums?

gpg --keyserver-options auto-key-retrieve --verify archlinux-version-x86_64.iso.sig

Offline

#6 2022-03-03 14:00:45

schard
Forum Moderator
From: Hannover
Registered: 2016-05-06
Posts: 2,426
Website

Re: Why does Arch uses md5 and sha1 algorithms as checksum?

No, it checks the PGP signature that WorMzy mentioned.

Last edited by schard (2022-03-03 14:00:54)


Inofficial first vice president of the Rust Evangelism Strike Force

Offline

#7 2022-03-03 14:35:15

seth
Member
From: Don't DM me only for attention
Registered: 2012-09-03
Posts: 69,446

Re: Why does Arch uses md5 and sha1 algorithms as checksum?

Or the https://wiki.archlinux.org/title/Instal … _signature
md5/sha1 mismatches tell you that the download was crippled and on some inferior OS which usually don't have any pgp/gpg installation but the md5 in the files context menu, it's still much MUCH better than nothing.

Online

Board footer

Powered by FluxBB