Mail archive

Re: [alpine-devel] Upgrading package signatures from SHA1 to SHA2 digest.

From: Ferris Ellis <>
Date: Fri, 9 Mar 2018 08:02:50 -0500

> On Mar 8, 2018, at 7:53 AM, Timo Teras <> wrote:
> On Wed, 7 Mar 2018 18:28:49 -0500
> Ferris Ellis <> wrote:
>> ...
>> I wanted to start a dialog about the possibility of moving to using
>> SHA2 digests (I would presume SHA256 would be the preferred option)
>> for signatures as SHA1 is deemed insecure by many and is being phased
>> out for most usage of PKI. This includes my use case, where the
>> crypto-service I have deliberately no longer offers signatures with
>> SHA1 digests and instead offers standard SHA2 digests.
>> ...
> I have been working to update .apk and index formats to binary. I was
> hoping to do the hash algorithm change there. While I do have the
> design ready, and some code too, it's taking a bit more than expected.
> I am willing to accept backwards compatible patches at this point even
> for the current formats. The signatures could be pretty easily updated.
> Just add a new prefix type to identify the signatures as rsa-sha256 or
> similar.
> However, sign only the control.tar.gz part of apk. That in turn
> contains hash for the control.tar.gz part containing the package
> metadata. Changing this 'identity hash' from sha1 to sha256 would be
> more intrusive. Same applies to the individual file checksums kept in
> the file database for audit purposes. However, control.tar.gz does have
> stronger hash (sha256) for data.tar.gz which contains the actual file
> data content.
> Timo

Timo, thanks for sharing! I’m a little confused by your message. Can you clarify what each of the hashes are? Including the ‘identity hash’ and ‘individual file checksums’? I’m still new to the internals of apk packaging and am only aware of two hashes:

1. The RSA signature hash uses SHA1 as the hash for control.tar.gz.
2. Inside control.tar.gz is the .PKGINFO file which contains a SHA2-256 hash of data.tar.gz

Also, as I mentioned in my last reply to A. Wilcox, I think since the RSA signature is ASN1 encoded. If so you shouldn’t need a new prefix type, as the ASN1 blob states the hash that it contains. But please correct me if I’m wrong on this! Just trying to be of help :)


Received on Fri Mar 09 2018 - 08:02:50 UTC