MD5 vs SHA512 in setup.ini (was: Why package cache is not used during setup download?)

[Warren Young <wyml at etr-usa dot com>]

On Oct 26, 2015, at 5:48 AM, Andrey Repin <anrdaemon@yandex.ru> wrote:
> 
> MD5 hash proven weak

Thatâs a bit strong.  Itâs better to say that MD5 has weak collision resistance properties, which in this context means it is possible to generate a Cygwin package with arbitrary contents that produces the same hash as the legitimate package, in a computationally useful time frame.

But, that is not the value MD5 is providing to setup.exe.  If you are downloading a package from bad-actor.com, you are also downloading setup.ini from there, so they can rewrite the hashes.  Only if you take the extra step to get your setup.ini from a different site can you cross-check the hashes.

Even then, all it proves is that the file you downloaded is the one the server claims to be providing.  It doesnât prove provenance, which is what people really seem to want, when they go hand-checking hashes.

One way to solve that would be for cygwin.com could run a special-purpose CA, and for the process that moves uploaded packages into the distribution directory to sign them using the CAâs private key.  Then setup.exe can cryptographically prove to itself that it is installing legitimate packages.
--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple