Go-ethereum: change from MD5 to SHA256 for geth download checksum's

Created on 16 Oct 2017  路  3Comments  路  Source: ethereum/go-ethereum

change from MD5 to SHA256 for geth download checksum's

picture AdrianScott
👍2

Most helpful comment

The checksums are the ones the Azure blobstore provides. They only support MD5, hence why we added it as a sanity check. If you want to make sure the file has not been tampered with, I'd advise to verify the attached signatures instead of relying on checksums.

picture karalabe on 17 Oct 2017
👍2

All 3 comments

I'm suspecting that MD5 is used, rather than a "stronger" algorithm, because it's only being used as a way to check the integrity of the download (i.e. to check the file downloaded without any errors), rather than as a way to check its provenance. And for this, MD5 is probably as good as anything else.

If we wanted to go a step further, rather than just providing a checksum, we could provide GPG signatures in the form of .asc files, and do what the Tor project does. Perhaps overkill?

RichHorrocks picture RichHorrocks on 17 Oct 2017
👍1

The checksums are the ones the Azure blobstore provides. They only support MD5, hence why we added it as a sanity check. If you want to make sure the file has not been tampered with, I'd advise to verify the attached signatures instead of relying on checksums.

karalabe picture karalabe on 17 Oct 2017
👍2

Great, thanks

AdrianScott picture AdrianScott on 17 Oct 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

aomiba picture aomiba  路  3Comments
vogelito picture vogelito  路  3Comments
prene picture prene  路  3Comments
tymat picture tymat  路  3Comments
ysqi picture ysqi  路  3Comments