PassMark Software

Announcement

Collapse
No announcement yet.

Integrity check of MemTest86 V7.3?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Integrity check of MemTest86 V7.3?

    I have downloaded MemTest86 V7.3 Free Edition for Linux/Mac (http://www.memtest86.com/downloads/memtest86-usb.tar.gz) to create a bootable USB drive, but there is no way to verify the integrity of the archive as no signed or non-signed checksums are available on the site.

    Can you provide the verified SHA-256 or SHA-512 hash for memtest86-usb.tar.gz V7.3?

    Thanks.

  • #2
    The code is code signed by us and Microsoft. So any machine that has secure boot in UEFI BIOS won't run the executable if it is corrupted or tampered with.

    TCP/IP also has checksums on the data transmission and so do the lower level transmission layers like ethernet's CRC. So the possibility of undetected data corruption during transmission are very low. Also GZIP uses a CRC-32 checksum, and the file won't unzip if it is corrupt.

    The process of writing the file to USB has a verify option in it, which is on by default. So corruption should also be low here. And SHA (on the tar file) isn't going to detect this anyway.

    So this is already 5 layers of protection.

    Which leave you with the possibility of data corruption via malware on your machine, or us distributing bad software in the first place. But if we are distributing bad software, then the SHA hashes we supply will still match.

    SHA1 is sufficient for the purposes of detecting file corruption. SHA-256/512 isn't required.

    So listing SHA values has very little value. But there they are anyway
    Path Size (bytes) SHA-1
    memtest86-iso.tar.gz 5285057 F342F17D3C6F2A06AC8BD6FDE6D0ADDF0B06A0D8
    memtest86-iso.zip 5284483 37D29AEBCD62EFD23F1C7252A1C57B00B925D9BC
    memtest86-pro-iso.tar.gz 6005010 687C815A5A5C5DF508193FCCAD53EB2F3BA91A71
    memtest86-pro-iso.zip 6005176 A5A29315C1246D7584D73FF7E7B4EE17219BA455
    memtest86-pro-purchased.zip 26414913 F3275203B4B0EC76A30008324EBEB1ADEA9A0FDB
    memtest86-pro-usb.tar.gz 6646468 D87332E96125B82C78FF23B977639EB7D15C7541
    memtest86-pro-usb.zip 7081415 24463CC9EECF37E52699B9EF3EDBB1ACCD88A9BD
    memtest86-site-purchased.zip 31553472 727C0BC52C8861E12044F9623A8B99F23BBF9796
    memtest86-site.tar.gz 2579990 96ACEBDCC8367CD641A5719B5A166362574ECFA4
    memtest86-site.zip 2579490 A8D3393FC96B0BC8B5B5C690292284988CEA220E
    memtest86-usb.tar.gz 6577109 8C6992C2EB381F4070C593D8776754D5411E3506
    memtest86-usb.zip 7012007 16497431A2514C06E9EA4B81C622CBDFFF4DAB0F
    MemTest86_User_Guide_UEFI.pdf 1042305 7884A5BE5D445FD1EB07150A5E5CFF44661F19C4

    Comment


    • #3
      Thanks.

      My main concern was an automated MITM attack as files are downloaded over plain HTTP and UEFI does not have secure boot configured.

      Comment


      • #4
        Maybe there was a MITM attack,and they altered this page as well, displaying different hash values just for you?

        Comment


        • #5
          Originally posted by David (PassMark) View Post
          Maybe there was a MITM attack,and they altered this page as well, displaying different hash values just for you?
          An automated MITM attack that would serve a rouge copy to anybody using a compromised network is pretty easy to do over plain http. Discovering that I'm asking for hashes in a forum and displaying different values for me would require human interaction in an attack specific on me, which is extremely unlikely. But yes, it's not optimal and the right thing to do would be publishing PGP signed SHA256 or SHA512 checksums like many projects do. SHA-1 was broken in February and it's now possible to generate a hash collision, but at this point it would cost around $130,000 so it's good enough for verifying my copy.

          Comment


          • #6
            An automated search and replace for a hash string is trivially easy compared to generating a SHA-1 hash collision.

            Also you can check the Microsoft code signing without having UEFI secure boot turned on. Via right click on the executable file. Like this,


            CodeSigning.png



            Comment

            Working...
            X