zlacker

[parent] [thread] 4 comments
1. ciaran+(OP)[view] [source] 2020-06-05 03:02:45
You can build the source locally, then compare the MD5 hash value of your build to (1) the hash value they post publicly for their build and (2) the actual hash value of their build once you download it.

Assuming all three match, you know that the binary matches the source.

Someone who is more technically inclined can probably go into more detail on this.

replies(3): >>khc+D4 >>drdrey+J4 >>bawolf+f7
2. khc+D4[view] [source] 2020-06-05 03:51:29
>>ciaran+(OP)
we are talking about security, and you brought up... MD5?
replies(1): >>kortil+C6
3. drdrey+J4[view] [source] 2020-06-05 03:53:06
>>ciaran+(OP)
This is actually more involved than it sounds. It is pretty easy for the compiler to introduce nondeterminism and result in slightly different binaries. I know this for a fact because I fixed a couple bugs like this in LLVM.

For the curious: we actually were intentional about finding these, by compiling many programs with the same parameters on different machines. One with a 32 bit OS and toolchain, the other one on a 64 bit machine, and we would get alerted when we produced binaries with a different checksum.

◧◩
4. kortil+C6[view] [source] [discussion] 2020-06-05 04:20:35
>>khc+D4
We’re talking about the forest, and you mention... one of the trees?
5. bawolf+f7[view] [source] 2020-06-05 04:28:52
>>ciaran+(OP)
MD5 is not safe for this use case. Assuming the provider is malicious, this is exactly the scenario where MD5 is broken (i.e. it is possible to make source code that compiles a certain way so that you can make another binary that has the same hash but is different. The bright side is the attack would have evidence as there would be certain patterns in the binary that could be detected if you knew how/where to look. That said, just use sha256)
[go to top]