[Slackbuilds-users] MD5 hash sums

thyr at airmail.cc thyr at airmail.cc
Wed Aug 22 14:55:54 UTC 2018


> Each SlackBuild archive is signed by the SBo devs, so any modifications 
> on the server (or in-between) would fail subsequent verification. In 
> that case it's the GPG signature that you trust to verify the .info 
> file contents (and all the rest of the SlackBuild stuff), not the MD5 
> sum or whatever else is inside it.

Sorry, the question I had in mind was about MD5 sums inside it. Seems 
kind of strange that SlackBuild archive is protected by GPG signature, 
but the actual source tarball is not signed and is protected by 
(obsolete) MD5 checksum. Aren't this situation an opportunity to MITM 
the source tarball itself, since some DOWNLOAD links are provided trough 
plain HTTP?

GnuPG FAQ quote (https://gnupg.org/faq/gnupg-faq.html#define_sha):

> SHA-224, 256, 384, or 512: This is a massively-overhauled SHA-1 which 
> generates larger hashes (224, 256, 384, or 512 bits). Right now, these 
> are the strongest hashes in GnuPG.

vs

> MD5 is a 128-bit cryptographic hash function invented by Ron Rivest 
> (the ‘R’ of ‘RSA’) in the early 1990s. For many years it was one of the 
> standard algorithms of the field, but is now completely obsolete. For 
> that reason, MD5 is not supported by GnuPG.

Wouldn't it be better to use, say, SHA512 instead?


More information about the SlackBuilds-users mailing list