No MD5SUM for Fedora 17 DVD

lsatenstein · #1 1st June 2012, 12:48 AM

All my previous versions of Fedora 17 had a panel which asked me if I wanted to do a md5sum verification of the DVD contents or if I wanted to skip this step.

I downloaded the Fedora 1|7 DVD, the Boot says Fedora 17, but there is no initial step to verify the DVD contents via the MD5sum procedure.

Is this testing of the md5sum not included, an oversite, or did I download the wrong Fedora 17 version.

stevea · #2 1st June 2012, 01:21 AM

md5 is no longer considered sufficiently secure. All the recent downloads come with a sha256 hash as well as a gpg signature.

Quote:

US-CERT now says that MD5 "should be considered cryptographically broken and unsuitable for further use."

There is a DVD verification step AFTER you are into the install screens.

stoat · #3 1st June 2012, 04:12 AM

Okay. It's true that MD5 hashes have long been considered unsuitable for cryptography related to security such as encrypting passwords and such. And it's true that Fedora has been shipping SHA-256 hashes (found in the appropriate CHECKSUM file) to verify downloaded ISO files with sha256sum since Fedora 11. lsatenstein should do that, or run the Media Check in Anaconda as recommended above. However, it's also true (or used to be) that Fedora uses MD5 hashes for the Media Check feature of Anaconda.

There is a tiny rpm package named isomd5sum, and a version of it shipped with Fedora 17. That package provides a utility named checkisomd5. It is that utility that Anaconda uses in the Media Check to verify the integrity of the data on a Fedora DVD by generating an MD5 hash for the DVD and comparing it to an MD5 hash embedded in the DVD. Or, at least it used to do this. I haven't used Fedora since version 14, and I'm not going to download the Fedora 17 DVD ISO and burn it to disk just to confirm it still does this. But if anybody else is interested in testing this for Fedora 17, checkisomd5 will (or used to) run the Anaconda Media Check in a terminal as I showed here two years ago...

http://forums.fedoraforum.org/showth...88#post1381788

Nowdays, I use Linux From Scratch exclusively as my Linux "distro", and every single package downloaded in LFS is verified using MD5 hashes. But those hashes are used only to verify the integrity of the transmitted data, not its authenticity. For that, I verify GPG signatures (when they are provided). I find that GPG signatures are provided with only about half of the 500 or so tarballs that I download for a BLFS system.

So MD5 may not be considered secure any more, but there still is a use for MD5 hashes. Even in Fedora 17 (probably). Maybe some curious person will test that.

nonamedotc · #4 1st June 2012, 05:45 AM

Yup! md5sum check works fine with Fedora 17.

Code:

su -
[root password]

yum install isomd5sum
[....]


checkisomd5 /dev/sr0 
Press [Esc] to abort check.

The media check is complete, the result is: PASS.

It is OK to use this media.

lsatenstein · #5 2nd June 2012, 07:02 PM

A md5sum or sha256sum are two algorithms for creating a checksum. The switch to the latter was made because there was an infinitesmal possiblity of a true given for a false sum.

I have always used the media check from anaconda and yes, it was very useful, and I would say essential to have built-in. It helped me twich detect faulty dvd material and one time, a faulty dvd reader.

Is it worth raising a request to have it re-instated. I say yes.