Page MenuHomeVyOS Platform

Installer checking MD5 checksums on the ISO image
Closed, ResolvedPublicFEATURE REQUEST


When you install an image, you can see this message:

Checking MD5 checksums of files on the ISO image...OK.

That message has been there since the earliest Vyatta Core versions I can remember. Since for security we have actual digital signatures, using MD5 isn't a security concern. Still, why are we even checking them?

There are quite a few questions:

  1. What puts MD5 sums on the ISO image? What are those checksums of?
  2. What checks then? Can we disable that check for signed images?
  3. For unsigned images, can we switch it to a hash sum algorithm that won't raise the eyebrows of the "superficially security-minded people"?


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible

Event Timeline

MD5 checksums are generated by Packer at build time (configured in vyos-build). We can switch to SHA256 or SHA512 (which Packer supports) although it seems redundant when the install script also fetches SHA256 sum file (guessed by the ISO URL) and compares against that. I'd say configuring Packer to use SHA256 and omitting SHA256 files from download directories altogether would be the cleanest solution.

Update: It turns out the md5sum.txt files are put there by Debian's Live Build. Checksums are added on lb binary_checksums step of the build, which defaults to MD5 if no variable is provided to tell it otherwise. As Daniil suggested, we can put a second checksum step with SHA256 variable to produce both checksums, then check for sha256sum.txt files on new images. This way, old update scripts can still find an md5sum.txt in images.

erkin changed the task status from Open to In progress.May 6 2021, 7:55 AM
erkin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.May 6 2021, 10:33 AM