Mail archive
alpine-devel

[alpine-devel] Upgrading package signatures from SHA1 to SHA2 digest.

From: Ferris Ellis <ferris_at_ferrisellis.com>
Date: Wed, 7 Mar 2018 18:28:49 -0500

Dear alpine-devel mailing list,

I was looking into using a crypto-service to do Apline package build signatures (as opposed to using a key on disk) and in doing so stumbled across the fact that Alpine package signatures currently use SHA1 digests. After a quick search on https://lists.alpinelinux.org I didn’t see any prior discussions related to this fact and thus am posting this to the mailing list.

I wanted to start a dialog about the possibility of moving to using SHA2 digests (I would presume SHA256 would be the preferred option) for signatures as SHA1 is deemed insecure by many and is being phased out for most usage of PKI. This includes my use case, where the crypto-service I have deliberately no longer offers signatures with SHA1 digests and instead offers standard SHA2 digests.

If the community is interested I’m happy to submit a more formal RFC on this. But, as I’m relatively new to the mailing list, I figured it was best to start with just a dialog!

Cheers,
Ferris



---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Wed Mar 07 2018 - 18:28:49 GMT