Improving availability and guaranteeing integrity in ISO - internal sha1sums

Mon Jun 11 13:12:13 UTC 2007

Olivier Galibert wrote:
> On Sun, Jun 10, 2007 at 02:31:51PM +1000, David Timms wrote:
>> I am not sure how you do that - how can you include inside a piece of 
>> data a checksum that uses the data {including itself} to calculate the 
>> checksum ?
> 
> Standard method is "zero the checksum area, compute the checksum,
> write it".  At verification time, copy the checksum area in memory,
> zero it and compute the checksum.
Ok, makes sense now how it actually works. An error in the
checksum implanted or the data will be detected, but not the case where 
an attacker modifies a file, and re-embeds the matching checksum. Thats 
why the necessity of the external sha1sum and signing.

I've read in f-l and seen myself where "tested good" cd/dvds {media 
check} that fail during installation when trying to read a particular 
rpm. Once sha1sum are on the iso, helping the user get to the definite 
problem {and making them believe it} would be as simple as getting them 
to run sha1sum -c failing....rpm or a nicer checksumming app.

I also see the other side where media fails the test, but works without 
error for what the user is installing.

The cost of inserting this info would be pretty minimal - just an extra 
step in the iso spin process. As Till suggests elsewhere in this thread:
find -type f -print0 | xargs -0 sha1sum >../SHA1SUM
...
154cbac962cf0e04ffd3163b6526fa8190df1299  ./stylesheet-images/titlepage.png
235e0b26cdc5a41c6d9b58ee57dd665c42611d79  ./stylesheet-images/warning.png

real    1m10.209s
user    0m24.258s
sys     0m6.452s

size:
-rw-r--r-- 1 root root 145080 Jun 11 21:44 SHA1SUM.txt

The resultant SHA1SUM file is acceptable to "sha1sum -c ../SHA1SUM"
{My iso is mounted, not the actual source files, so I cant write to the 
correct location - hence the ../}.

Since it would probably be more useful for a media contents test script 
to work from multiple places:
- a running Fedora system
- rescue iso
- dvd iso - linux rescue
- {from another OS - could include dos/win 
ftp://ftp.gnupg.org/gcrypt/binary/sha1sum.exe}
Perhaps it is best to be as simple as possible, rather than python as I 
first suggested -> bash script: attached. Since scrollback through 1800 
files might not be possible directs the output to the users home 
directory, and uses the return value to state either ~good or ~bad with 
this files bad or missing.

This could become standard practice on any iso fedora produces {ie 
including rescue and live}.

DaveT.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: verify_media_accessibility.sh
Type: application/x-shellscript
Size: 613 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20070611/235d0931/attachment.bin>