X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:content-type:mime-version:subject:from :in-reply-to:date:content-transfer-encoding:message-id :references:to; q=dns; s=default; b=K43Csj7NQyYPZpVlj9OjrIxF9S3V qLwRpDJ43Vy6o6OplQB+CvdYbzC/hPkVFkiothxOP5en4HEGbCgRFz2VlWqFNzjF vbBIyBPWLTH/PamZHs9HHCFCaH370jioCBrDP7WG7jUMHfIO9DMwusUhZ5s4CVAs BRPILvpu4NhnCk4= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:content-type:mime-version:subject:from :in-reply-to:date:content-transfer-encoding:message-id :references:to; s=default; bh=CvlZCvf/io10qoM361/lwz8QUTI=; b=WL 9SrMh5bgxH8NF09akE2KN4Z1pjlzaAhdjpKYW7MWLsmUqOCFji7DNy5xjrXeWKry zOAERglrK7H50ZDCk39mMVhymemuLJ652YqUMQsGcA4VKBAHVPW8k4MLRvzNpQ4r gOyl4iz06Ul6ZqGte+9Ng+wAWDP1AkporDEZ4MGZg= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=1.2 required=5.0 tests=AWL,BAYES_50,KAM_LAZY_DOMAIN_SECURITY,RP_MATCHES_RCVD autolearn=no version=3.3.2 X-HELO: etr-usa.com Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Subject: MD5 vs SHA512 in setup.ini (was: Why package cache is not used during setup download?) From: Warren Young In-Reply-To: <190443388.20151026144831@yandex.ru> Date: Mon, 26 Oct 2015 12:08:55 -0600 Message-Id: <140F1DEE-6492-4F29-9185-9DC4D546B50F@etr-usa.com> References: <133366775 DOT 20151025170018 AT yandex DOT ru> <190443388 DOT 20151026144831 AT yandex DOT ru> To: cygwin AT cygwin DOT com X-IsSubscribed: yes Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id t9QI9CNP024960 On Oct 26, 2015, at 5:48 AM, Andrey Repin wrote: > > MD5 hash proven weak That’s a bit strong. It’s better to say that MD5 has weak collision resistance properties, which in this context means it is possible to generate a Cygwin package with arbitrary contents that produces the same hash as the legitimate package, in a computationally useful time frame. But, that is not the value MD5 is providing to setup.exe. If you are downloading a package from bad-actor.com, you are also downloading setup.ini from there, so they can rewrite the hashes. Only if you take the extra step to get your setup.ini from a different site can you cross-check the hashes. Even then, all it proves is that the file you downloaded is the one the server claims to be providing. It doesn’t prove provenance, which is what people really seem to want, when they go hand-checking hashes. One way to solve that would be for cygwin.com could run a special-purpose CA, and for the process that moves uploaded packages into the distribution directory to sign them using the CA’s private key. Then setup.exe can cryptographically prove to itself that it is installing legitimate packages. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple