[tex-live] tlmgr: Package verification

Tue Jan 23 19:27:32 CET 2018

Hi Norbert,

thanks again for shedding some light on the details of tlmgr.

> Yes indeed, it could be made clearer  :-)

I'd like to help here, but I haven't had an idea so far how it could
be made clearer.

> Without --no-verify-downloads you will always get the main repository
> checked, which cannot be turned off with --no-require-verification.
> But with --no-verify-downloads even the main repo is not checked.

Is this the only case where it makes a difference? I can't even guess
how many users might need it, but it would greatly simplify the manual
if "--(no)-verify-downloads" could be completely removed ;-)

> Yes, the checksums are always done. Run tlmgr with -v and you will see
> some more output:

Thanks for the hint, the additional output is indeed interesting.
Out of curiosity, I randomly picked one of the hashes printed by "-v"
and searched the tlpdb files for it (both texlive.tlpdb and all of the
texlive.tlpdb.somehash files). To my surprise, the hash wasn't found
anywhere.
I then had a look at the "backups" folder and calculated the
sha512-hashes of all the .tar.xz files there. I found that the hash I
had copied is the hash of "collection-latexextra.r46401.tar.xz". The
file is 5628 bytes in size, and its hash is
18DF732AAF72569D72FCD1DBEEB905FFBEB089D9FFC5FB01D7FC70431ADA735B28C01D35C61220064F90360963952803D93B16C8533FA1B74AC335B7859B1861

In the corresponding tlpdp, file, I found the following:
> name collection-latexextra
> category Collection
> revision 46401
> [...] lots of stuff ommitted
> containersize 5504
> containerchecksum 1ff42dd776de6e3325e1bca5b9975353b56531a5da2f961612c0e41e41b419a0b1a77a14191b935f591d7df14049fd8f4cea11ddec46851b43fa03ee9748cf92

I'd like to understand what is happening here. Obviously, the hash in
the database does not match the hash of the corresponding .tar.xz
file, but tlmgr did not complain. It also does not match the hash of
the .tar file that's inside, nor of the included .tlpobj file.

As the .tar.xz file is also 124 bytes larger than specified in the
database, I guess some bytes are stripped before the hash is
calculated? But if so, why? And why does -v print the "wrong" hash?
I also noted that in your example, -v prints a different hash than -v
-v, although the package/file seems to be the same?!

>> (The manual says "That is, for each texlive.tlpdb loaded from a
>> repository, the corresponding checksum file texlive.tlpdb.sha512 is
>> also downloaded, and tlmgr confirms whether the checksum of the
>> downloaded TLPDB file agrees with the download data." - which sounds
>> as if *only* the tlpdb file is verified).
>
> *verified* means that a cryptographic signature is checked. After that
> each package in turn is checked for integrity, and as a consequence also
> verified (unless the checksum mechanism is broken and can be
> circumvented, which is with sha256 not possible at the moment).

Sorry, my mistake - I used "verified" here, but meant integrity check,
i.e. comparison of sha512 hashes. The manual doesn't confuse these two
terms. Still, I think it's somewhat confusing. It first says:

> By default, package checksums computed and stored on the server (in the TLPDB) are
> compared to checksums computed locally after downloading.

This seems to precisely describe what is going on. The manual goes on with:

> That is, for each texlive.tlpdb loaded from a repository, the corresponding checksum file
> texlive.tlpdb.sha512 is also downloaded, and tlmgr confirms whether the checksum of the
> downloaded TLPDB file agrees with the download data.

This sounds to me as if hash computation and comparison is only done
for the tlpdb file(s), not for each downloaded package, so in my
opinion, it is rather misleading, given the first sentence.

Best regards,
Philipp