360184 – k3b should offer option to select either md5 sum or sha256 when loading dvd iso

Bug 360184 - k3b should offer option to select either md5 sum or sha256 when loading dvd iso

Summary: k3b should offer option to select either md5 sum or sha256 when loading dvd iso

Status:	REPORTED

Alias:	None

Product:	k3b
Classification:	Applications
Component:	Data Project (show other bugs)
Version:	2.0.80
Platform:	openSUSE Linux

Importance:	NOR wishlist
Target Milestone:	---
Assignee:	k3b developers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-03-07 00:51 UTC by cat22
Modified:	2018-10-15 20:42 UTC (History)
CC List:	8 users (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description cat22 2016-03-07 00:51:50 UTC

Currently when you load an iso image into k3b it calculates the md5dum by default and shows it in a dialog. This should be a settings option to all users to decide if they want to calculate the md5sum or a sha256 sum when loading an iso

Reproducible: Always

Steps to Reproduce:
1. open k3b and select an iso to load for burning
2. k3b displays some info including the md5sum
3.

Actual Results:  
only an md5sum is shown

Expected Results:  
There should be a user configurable option in the k3b settings to determine what kind of checksum k3b should perform when loading an isoimage for burning

Comment 1 Phil 2016-09-09 17:04:45 UTC

Dear KDE "K3b" developers and maintainers,

+1 for the request for the modification and or update to the "checksum" aspect of burning and or verifying ".iso" images to include a more current "sha256" checksum value, and maybe an option (auto or not) for comparing that to an existing "sha256sum.txt" file that is in the same folder (directory). 

"K3b" is the most loved CD/DVD/Blu-Ray application for Linux Mint users, including me. If there are updates and or upgrades to this wonderful application, how can Linux Mint users install it on 32-bit and 64-bit systems on Linux Mint versions 17.x based on Ubuntu 14.04 or Linux Mint version 18 based on Ubuntu 16.04? Are there any easy to install and use Linux ".deb" files, or a PPA perhaps, that we can use to install these upgrades? Or, do we have to compile it, and if so, could you please detail those instructions?

Thank you, 
Phil D. 
KDE Bug forum User: phdsrq@gmail.com 
Linux Mint forum user: phd21 
phd21mint@gmail.com

Comment 2 Leslie Zhai 2016-09-13 01:27:52 UTC

Hi,

As 'Implementating NEW features' described http://www.leetcode.cn/2016/08/k3b.html I need to fix high priority bugs, but I will pay some attention to the implementation of NEW feature ;-)

Regards,
Leslie Zhai

Comment 3 Thomas Schmitt 2016-09-13 06:42:15 UTC

Hi,

K3B already uses class QCryptographicHash. (In the Debian version it is
deprecated class KMD5.)
See libk3b/tools/k3bmd5job.cpp, line 44.

The newly used class offers a long list of hash algorithms:
  http://doc.qt.io/qt-5/qcryptographichash.html

If i get it right, then currently MD5 is hardcoded in line 35 of
k3bmd5job.cpp:

                 : md5(QCryptographicHash::Md5),

This hardcoded default needs to be replaced by a user choice among the 
offered algorithms. E.g.  QCryptographicHash::Sha512 .

Now that's where i reach the end of my expertise as C programmer and
command line burner. The remaining work is about C++ tech and testing
whether it works with other algorithms and does not display confusing
messages about MD5 when SHA512 is selected.

Have a nice day :)

Thomas

Comment 4 Phil 2016-09-13 21:17:05 UTC

Dear KDE "K3b" developers and maintainers, Leslie Zhai, Sebastian Trueg, Thomas Schmitt,

1. To all of you, Thank you for working on this great K3b application, and making it even better.

2. It looks like you are using "QT" development for some if not all of this? I do not yet know enough about "QT" to help with that. Although, the link from Thomas regarding the use of "QCryptographicHash::Sha256" (and its variations) look pretty good too me.

I don't know if this will help or not, but when I use Linux Mint for evaluating checksum values, I can use the commands below. As far as I know, all Linux distros (and maybe MS Windows too) have the command "sha256sum" already installed.

To get the checksum value:
Example:
sha256sum -b linuxmint-18-kde-32bit.iso
Results in:
ff8bacc631e7955fc6b0f86c9014ce27aa455e3ee0913de0b2bc6c366b63c693 *linuxmint-18-kde-32bit.iso

To verify a checksum of a file with its downloaded checksum file (sha256sum.txt) in the same folder, I can use either of these console terminal commands:
Example:
sha256sum --check sha256sum.txt
or
sha256sum --check --ignore-missing sha256sum.txt

Results in:
linuxmint-18-cinnamon-32bit.iso: OK
linuxmint-18-kde-32bit.iso: OK
linuxmint-18-mate-32bit.iso: OK
linuxmint-18-xfce-32bit.iso: OK

3.) I tried to compile "K3b" from the link below using the "install.txt" instructions, and could not successfully compile it on my Linux Mint KDE 32-bit system. Unfortunately, I only have an ancient 32- bit computer (11+ years old Pentium 4 computer (single core)) which cannot install any version of QT higher than "Qt v5.5" and 32-bit. So, I still need alternate compiling instructions (easy detailed ones please), or I would prefer easy to install ".deb" files, or a PPA.

https://github.com/KDE/k3b

Best regards to all of you and yours,
Phil

Comment 5 Leslie Zhai 2016-09-18 01:46:21 UTC

> cannot install any version of QT higher than "Qt v5.5" and 32-bit

*WHY*? Qt is supported on a variety of 32-bit and 64-bit platforms http://doc.qt.io/qt-5/supported-platforms.html

Comment 6 guyvf 2018-04-26 21:12:28 UTC

please replace automatic calculation of md5 sums with sha256, as the former is broken: https://en.wikipedia.org/wiki/Hash_function_security_summary

Comment 7 Thomas Schmitt 2018-04-27 07:11:43 UTC

Hi,

guyvf wrote:
> https://en.wikipedia.org/wiki/Hash_function_security_summary

This is about intentional manipulations of checksums, not about their
suitability for detecting incidential transport or storage errors.

So the main purposes of hashes with ISO images or their content is not
in danger.
MD5 still is much more safe than loitering a day at an arbitrary spot on
earth without being prepared for the direct hit of a 10 km asteroid
during that day. (That's around 2 exp -64 of probability.)

If really crypto-grade checksumming is desired, i'd propose to use some
trustworthy program (if you find any) to harden the ISO image after
production. You cannot expect the necessary crypto experience with the
programmers of ISO 9660 programs.


Have a nice day :)

Thomas

Comment 8 cat22 2018-04-29 13:30:55 UTC

Some iso images only offer the sha256 chksum and not the md5 sum so this is why the option is needed. It has nothing to do with the suitability of sha256 or md5. It just provides the user a way to verify iso's that only have the sha256 sum provided to verify the iso isn't corrupted.

Comment 9 cat22 2018-05-04 04:01:21 UTC

I just discovered that openSuse only provides sha256 check sums with the download install images.
See Here:
   https://software.opensuse.org/distributions/leap
So it would be very useful to be able to select which check sum to generate on file load.

Comment 10 cat22 2018-10-15 05:22:45 UTC

Well, its been over 2.5 years and no movement on this whatsoever.
Can we get an explanation of what is holding it up? 
Is there info needed? If so please ask.
Sample C code to compute sha256? I can provide that.
md5 is falling out of favor and many places not long provide an md5sum but instead provide sha256
Dont misunderstand DO NOT remove md5 just ADD sha256

Comment 11 Albert Astals Cid 2018-10-15 20:42:25 UTC

manpower, if you know how to code, get the k3b codebase and implement it, i'm sure it won't be that difficult, otherwise you'll have to wait until someone with time can do it