Mail archive

Re: [alpine-devel] Upgrading package signatures from SHA1 to SHA2 digest.

From: A. Wilcox <>
Date: Wed, 7 Mar 2018 18:07:59 -0600

On 03/07/18 17:28, Ferris Ellis wrote:
> Dear alpine-devel mailing list,
> I was looking into using a crypto-service to do Apline package build
> signatures (as opposed to using a key on disk) and in doing so
> stumbled across the fact that Alpine package signatures currently use
> SHA1 digests. After a quick search on I
> didn’t see any prior discussions related to this fact and thus am
> posting this to the mailing list.
> I wanted to start a dialog about the possibility of moving to using
> SHA2 digests (I would presume SHA256 would be the preferred option)
> for signatures as SHA1 is deemed insecure by many and is being phased
> out for most usage of PKI. This includes my use case, where the
> crypto-service I have deliberately no longer offers signatures with
> SHA1 digests and instead offers standard SHA2 digests.
> If the community is interested I’m happy to submit a more formal RFC
> on this. But, as I’m relatively new to the mailing list, I figured it
> was best to start with just a dialog!
> Cheers, Ferris

I proposed this in 2015:

We used this in very early builds of Adélie, and in fact, alpha1 was
shipped with all packages signed using SHA-256. It wasn't accepted into
upstream apk-tools because there was no compatibility with SHA-1
packages. I had considered making a backwards-compatible one (possibly
using SH2 instead of RSA as the file name), but life got in the way.

I'd be more than willing to work on this more if it is something the
community desires.

Best to you and yours,

A. Wilcox (awilfox)
Project Lead, Adélie Linux

Received on Wed Mar 07 2018 - 18:07:59 UTC