This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

MD5 vs SHA512 in setup.ini (was: Why package cache is not used during setup download?)

On Oct 26, 2015, at 5:48 AM, Andrey Repin <> wrote:
> MD5 hash proven weak

Thatâs a bit strong.  Itâs better to say that MD5 has weak collision resistance properties, which in this context means it is possible to generate a Cygwin package with arbitrary contents that produces the same hash as the legitimate package, in a computationally useful time frame.

But, that is not the value MD5 is providing to setup.exe.  If you are downloading a package from, you are also downloading setup.ini from there, so they can rewrite the hashes.  Only if you take the extra step to get your setup.ini from a different site can you cross-check the hashes.

Even then, all it proves is that the file you downloaded is the one the server claims to be providing.  It doesnât prove provenance, which is what people really seem to want, when they go hand-checking hashes.

One way to solve that would be for could run a special-purpose CA, and for the process that moves uploaded packages into the distribution directory to sign them using the CAâs private key.  Then setup.exe can cryptographically prove to itself that it is installing legitimate packages.
Problem reports:
Unsubscribe info:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]