os icon indicating copy to clipboard operation
os copied to clipboard

Published 20 hours ago verified publisher icon elementary

Generate crc32 checksum

Open cassidyjames opened this issue 4 years ago • 2 comments

Etcher has started exposing the calculated crc32 checksum of an image after it's flashed; it would cut down on our documentation if we used that to verify both the download and the flashed drive.

screenshot with CRC32 checksum

cassidyjames avatar Aug 04 '21 18:08 cassidyjames

Worth noting that CRC32 is not a "secure" checksum in the sense that it's very easy to generate collisions.

So, it would be trivial for someone to download an ISO, modify it in some malicious way and also include a file made up of carefully calculated data that would make the checksum match afterwards.

I know that the main point of the process is to verify that there wasn't any corruption. But there's the side benefit of verifying the iso you've downloaded is the same one we published too. So we definitely want to keep publishing the more "secure" hashes too.

davidmhewitt avatar Aug 04 '21 18:08 davidmhewitt

@davidmhewitt it turns out Etcher doesn't actually expose these as prominently anymore so it's probably a non-issue. I've updated the installation docs to use the built-in Windows method of verifying instead of Rufus' anyway.

cassidyjames avatar Aug 04 '21 22:08 cassidyjames