Mail archive
alpine-devel

Re: [alpine-devel] Upgrading package signatures from SHA1 to SHA2 digest.

From: Ferris Ellis <ferris_at_ferrisellis.com>
Date: Fri, 9 Mar 2018 07:48:43 -0500

> On Mar 7, 2018, at 7:07 PM, A. Wilcox <awilfox_at_adelielinux.org> wrote:
>
>> On 03/07/18 17:28, Ferris Ellis wrote:
>> ...
>>
>> I wanted to start a dialog about the possibility of moving to using
>> SHA2 digests (I would presume SHA256 would be the preferred option)
>> for signatures as SHA1 is deemed insecure by many and is being phased
>> out for most usage of PKI. This includes my use case, where the
>> crypto-service I have deliberately no longer offers signatures with
>> SHA1 digests and instead offers standard SHA2 digests.
>>
>> ...
>
> I proposed this in 2015:
>
> https://code.foxkit.us/adelie/packages/raw/ebuild/sys-apps/apk-tools/files/apk-tools-2.6.6-use-sha256-signature.patch
>
> We used this in very early builds of Adélie, and in fact, alpha1 was
> shipped with all packages signed using SHA-256. It wasn't accepted into
> upstream apk-tools because there was no compatibility with SHA-1
> packages. I had considered making a backwards-compatible one (possibly
> using SH2 instead of RSA as the file name), but life got in the way.
>
> I'd be more than willing to work on this more if it is something the
> community desires.

This is great A. Wilcox! I for one think it would be a very worthwhile addition. Though I think backward compatibility may be easier than changing the file name. I’m not deeply familiar with all things OpenSSL, but my understanding is that the signature is encoded in ASN1. If so then the signature itself will state which hash was used! You could then simply have a config somewhere for apk stating which hashes you trusted.

Cheers,
Ferris



---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Fri Mar 09 2018 - 07:48:43 GMT