Bug 360184

Summary: k3b should offer option to select either md5 sum or sha256 when loading dvd iso
Product: [Applications] k3b Reporter: cat22 <erbenton>
Component: Data ProjectAssignee: k3b developers <k3b>
Status: REPORTED ---    
Severity: wishlist CC: aacid, guyvf, michalm, phdsrq, scdbackup, simonandric5, trueg, zhaixiang
Priority: NOR    
Version: 2.0.80   
Target Milestone: ---   
Platform: openSUSE   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description cat22 2016-03-07 00:51:50 UTC
Currently when you load an iso image into k3b it calculates the md5dum by default and shows it in a dialog. This should be a settings option to all users to decide if they want to calculate the md5sum or a sha256 sum when loading an iso

Reproducible: Always

Steps to Reproduce:
1. open k3b and select an iso to load for burning
2. k3b displays some info including the md5sum
3.

Actual Results:  
only an md5sum is shown

Expected Results:  
There should be a user configurable option in the k3b settings to determine what kind of checksum k3b should perform when loading an isoimage for burning
Comment 1 Phil 2016-09-09 17:04:45 UTC
Dear KDE "K3b" developers and maintainers,

+1 for the request for the modification and or update to the "checksum" aspect of burning and or verifying ".iso" images to include a more current "sha256" checksum value, and maybe an option (auto or not) for comparing that to an existing "sha256sum.txt" file that is in the same folder (directory). 

"K3b" is the most loved CD/DVD/Blu-Ray application for Linux Mint users, including me. If there are updates and or upgrades to this wonderful application, how can Linux Mint users install it on 32-bit and 64-bit systems on Linux Mint versions 17.x based on Ubuntu 14.04 or Linux Mint version 18 based on Ubuntu 16.04? Are there any easy to install and use Linux ".deb" files, or a PPA perhaps, that we can use to install these upgrades? Or, do we have to compile it, and if so, could you please detail those instructions?

Thank you, 
Phil D. 
KDE Bug forum User: phdsrq@gmail.com 
Linux Mint forum user: phd21 
phd21mint@gmail.com
Comment 2 Leslie Zhai 2016-09-13 01:27:52 UTC
Hi,

As 'Implementating NEW features' described http://www.leetcode.cn/2016/08/k3b.html I need to fix high priority bugs, but I will pay some attention to the implementation of NEW feature ;-)

Regards,
Leslie Zhai
Comment 3 Thomas Schmitt 2016-09-13 06:42:15 UTC
Hi,

K3B already uses class QCryptographicHash. (In the Debian version it is
deprecated class KMD5.)
See libk3b/tools/k3bmd5job.cpp, line 44.

The newly used class offers a long list of hash algorithms:
  http://doc.qt.io/qt-5/qcryptographichash.html

If i get it right, then currently MD5 is hardcoded in line 35 of
k3bmd5job.cpp:

                 : md5(QCryptographicHash::Md5),

This hardcoded default needs to be replaced by a user choice among the 
offered algorithms. E.g.  QCryptographicHash::Sha512 .

Now that's where i reach the end of my expertise as C programmer and
command line burner. The remaining work is about C++ tech and testing
whether it works with other algorithms and does not display confusing
messages about MD5 when SHA512 is selected.

Have a nice day :)

Thomas
Comment 4 Phil 2016-09-13 21:17:05 UTC
Dear KDE "K3b" developers and maintainers, Leslie Zhai, Sebastian Trueg,  Thomas Schmitt,

1. To all of you, Thank you for working on this great K3b application, and making it even better.

2. It looks like you are using "QT" development for some if not all of this? I do not yet know enough about "QT" to help with that. Although, the link from Thomas regarding the use of "QCryptographicHash::Sha256" (and its variations) look pretty good too me.

I don't know if this will help or not, but when I use Linux Mint for evaluating checksum values, I can use the commands below. As far as I know, all Linux distros (and maybe MS Windows too) have the command "sha256sum" already installed.

To get the checksum value:
Example:
sha256sum -b linuxmint-18-kde-32bit.iso
Results in:
ff8bacc631e7955fc6b0f86c9014ce27aa455e3ee0913de0b2bc6c366b63c693 *linuxmint-18-kde-32bit.iso

To verify a checksum of a file with its downloaded checksum file (sha256sum.txt) in the same folder, I can use either of these console terminal commands:
Example:
sha256sum --check  sha256sum.txt
or 
sha256sum --check --ignore-missing sha256sum.txt

Results in:
linuxmint-18-cinnamon-32bit.iso: OK
linuxmint-18-kde-32bit.iso: OK
linuxmint-18-mate-32bit.iso: OK
linuxmint-18-xfce-32bit.iso: OK

3.) I tried to compile "K3b" from the link below using the "install.txt" instructions, and could not successfully compile it on my Linux Mint KDE 32-bit system.  Unfortunately, I only have an ancient 32- bit computer (11+ years old Pentium 4 computer (single core)) which cannot install any version of QT higher than "Qt v5.5" and 32-bit.  So, I still need alternate compiling instructions (easy detailed ones please), or I would prefer easy to install ".deb" files, or a PPA.

https://github.com/KDE/k3b

Best regards to all of you and yours,
Phil
Comment 5 Leslie Zhai 2016-09-18 01:46:21 UTC
> cannot install any version of QT higher than "Qt v5.5" and 32-bit

*WHY*? Qt is supported on a variety of 32-bit and 64-bit platforms http://doc.qt.io/qt-5/supported-platforms.html
Comment 6 guyvf 2018-04-26 21:12:28 UTC
please replace automatic calculation of md5 sums with sha256, as the former is broken: https://en.wikipedia.org/wiki/Hash_function_security_summary
Comment 7 Thomas Schmitt 2018-04-27 07:11:43 UTC
Hi,

guyvf wrote:
> https://en.wikipedia.org/wiki/Hash_function_security_summary

This is about intentional manipulations of checksums, not about their
suitability for detecting incidential transport or storage errors.

So the main purposes of hashes with ISO images or their content is not
in danger.
MD5 still is much more safe than loitering a day at an arbitrary spot on
earth without being prepared for the direct hit of a 10 km asteroid
during that day. (That's around 2 exp -64 of probability.)

If really crypto-grade checksumming is desired, i'd propose to use some
trustworthy program (if you find any) to harden the ISO image after
production. You cannot expect the necessary crypto experience with the
programmers of ISO 9660 programs.


Have a nice day :)

Thomas
Comment 8 cat22 2018-04-29 13:30:55 UTC
Some iso images only offer the sha256 chksum and not the md5 sum so this is why the option is needed. It has nothing to do with the suitability of sha256 or md5. It just provides the user a way to verify iso's that only have the sha256 sum provided to verify the iso isn't corrupted.
Comment 9 cat22 2018-05-04 04:01:21 UTC
I just discovered that openSuse only provides sha256 check sums with the download install images.
See Here:
   https://software.opensuse.org/distributions/leap
So it would be very useful to be able to select which check sum to generate on file load.
Comment 10 cat22 2018-10-15 05:22:45 UTC
Well, its been over 2.5 years and no movement on this whatsoever.
Can we get an explanation of what is holding it up? 
Is there info needed? If so please ask.
Sample C code to compute sha256? I can provide that.
md5 is falling out of favor and many places not long provide an md5sum but instead provide sha256
Dont misunderstand DO NOT remove md5 just ADD sha256
Comment 11 Albert Astals Cid 2018-10-15 20:42:25 UTC
manpower, if you know how to code, get the k3b codebase and implement it, i'm sure it won't be that difficult, otherwise you'll have to wait until someone with time can do it