To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

MD5 checksums to ensure delivered package integrity?

aaronpawlak W/ Alumni Posts: 1 Security Scout



I hope for some assistance .I have been given to understand that Portage may be configured to execute SHA-level package verification upon receipt as a matter of course. Is this true; or does this system rely exclusively upon MD5 checksums to ensure delivered package integrity?

Relatedly, how are received packages verified at the Gentoo side before redistribution to end-user installations?

Next, what vetting is required regarding individuals involved in the chain of custody for packages which are distributed ? .I checked many firewall configuration explainer videos but did not find any solution to my problem.Please help me out.


Any help will be appreciated.
Thank you.


  • etomcat
    etomcat W/ Alumni Posts: 1,172 Firewall Master



    In case of Windows OS based F-Secure product releases, the .EXE or .MSI files are internally signed with a crypto certificate. This means a modified installer package (e.g. damaged download or unauthorized hack) simply will not run.


    In case of Linux OS based F-Secure product releases, the vendor provides a list of MD5 hash values for the .DEB and .RPM packages, which can be manually compared.

    For example "F-Secure Policy Manager Server version 13.10 build 84021 for Debian Package Manager(64-bit only)" is "ab52c43aa49b7d78ce9db18700ebaeec".


    Please see here for download packages and checksums:


    (On the other hand the use of MD5 hash algorithm is considered obsolete nowadays, because it can be counterfeited relatively easily. Most vendors have moved to SHA-1 or even SHA-256 and I think F-Secure should also follow suit.)


    Best Regards: Tamas Feher, Hungary.

  • MJ-perComp
    MJ-perComp W/ Alumni Posts: 669 Firewall Master

    The MD5 is not a "proof of origin" but a quick checksum to see if the downloaded was done without errors. If an attacker would be able to replace the file he would also be able to modify the file containing the MD5.


    But even if he would try to replace the file with a rugue one, that has the same MD5 his effort to find a match would still be "tough", SHA256 would make it hard, but then the above is still true.


    So for the purpose the MD5 is fine - having both values available would at least stop this question to become a FAQ.

This discussion has been closed.