When you install an image, you can see this message:
Checking MD5 checksums of files on the ISO image...OK. Done!
That message has been there since the earliest Vyatta Core versions I can remember. Since for security we have actual digital signatures, using MD5 isn't a security concern. Still, why are we even checking them?
There are quite a few questions:
- What puts MD5 sums on the ISO image? What are those checksums of?
- What checks then? Can we disable that check for signed images?
- For unsigned images, can we switch it to a hash sum algorithm that won't raise the eyebrows of the "superficially security-minded people"?