X-Original-To: alpine-devel@lists.alpinelinux.org Received: from mail-yb0-f180.google.com (mail-yb0-f180.google.com [209.85.213.180]) by lists.alpinelinux.org (Postfix) with ESMTP id A30B45C4EA7 for ; Fri, 9 Mar 2018 12:48:45 +0000 (GMT) Received: by mail-yb0-f180.google.com with SMTP id u5-v6so3084734ybf.4 for ; Fri, 09 Mar 2018 04:48:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ferrisellis-com.20150623.gappssmtp.com; s=20150623; h=from:content-transfer-encoding:mime-version:date:subject:message-id :references:in-reply-to:to; bh=Y21uwxPy5xx8pRSrvYxuuEQfU83on5H6jP3X1vIiD2I=; b=f8+sKZX5Llm44qwgzN40V12S8vbmQCitJBv0Yg0L91FhkWZItFvTbBzR75AACqfVkf Z2xYR0KuWxVYAZE8p9N0Biu15RInATNdQRufYScs0uxTFv24wNAYFuWuiRxsnaDW5SN/ AgmUfckQJ4D+Teb9n0pbXkv6/owlUDzyRFdg9oiHMf5iSLKWzBv3HQgrvVWExhqkFPWz MdwKD+sUsemrNl3ExzqLNqhFHiDlytMb79u/meBBBtgZzbzBx7w6m/sss3On3S4ohJ4k ewfJvDOW/KG+vDivuF/P0IRdnXDKdn43D+Mve2sWXorA1Fn9wj5HTFPtOfRuDLx1++PM FXAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version:date :subject:message-id:references:in-reply-to:to; bh=Y21uwxPy5xx8pRSrvYxuuEQfU83on5H6jP3X1vIiD2I=; b=bjULBKVq+UhfSakiWnk84n22T4/FsNf0BYQV7CZ9/NRScGjUM9Vt9RQsMEvTKx+vWB DX+xqO8WGJyxXAl0sykWx5x41rAAdhJhZK6ytEtnTxG3Ggltw9RM+dq+LVx0Fb458mf7 tOu7hIUgStobCR2dmRgiDHL5xAUhDPS6GdG4gjJqDq7VXIyXoBbTjo0AVMDuxcX0gSco uPNxUfFTRDWzUux9DpnfJoCKfWOkpxqvVX+DlBks/2SglHxinN6NtIUDrmVtN6f9FfmF 8+VQbUYvMgf72Wzc4O/YINcD3x/EcMudmivAUeXD4gyO1QSPcakHIS3NnFmk8OVXtvSh 60kw== X-Gm-Message-State: AElRT7GXmfwkUBbLsjWs0kU7ACG7S3L7nEyVbGXydMsB7fZ35Fe+GZiB FTd8YDw1j+DRRpr2IfUS0hip3XiBV7M= X-Google-Smtp-Source: AG47ELv6PuuL5rvhH7zOxFin8FXMiDZQ70BadMyCPxoC4ovgONCd/6Cw28j6eJtyW0vizNEnRh0iSA== X-Received: by 2002:a25:e812:: with SMTP id k18-v6mr11654503ybd.215.1520599724770; Fri, 09 Mar 2018 04:48:44 -0800 (PST) Received: from [192.168.2.246] (c-73-120-111-204.hsd1.tn.comcast.net. [73.120.111.204]) by smtp.gmail.com with ESMTPSA id n184sm282604ywf.73.2018.03.09.04.48.43 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 09 Mar 2018 04:48:43 -0800 (PST) From: Ferris Ellis Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: Mime-Version: 1.0 (1.0) Date: Fri, 9 Mar 2018 07:48:43 -0500 Subject: Re: [alpine-devel] Upgrading package signatures from SHA1 to SHA2 digest. Message-Id: <086FA506-3259-4624-A864-B3957299A17D@ferrisellis.com> References: <257B6969-21FD-4D51-A8EC-95CB95CEF365@ferrisellis.com> <5417b964-e4d0-13c5-5f55-4c9c7eed1588@adelielinux.org> In-Reply-To: <5417b964-e4d0-13c5-5f55-4c9c7eed1588@adelielinux.org> To: alpine-devel@lists.alpinelinux.org X-Mailer: iPad Mail (15C202) > On Mar 7, 2018, at 7:07 PM, A. Wilcox wrote: >=20 >> On 03/07/18 17:28, Ferris Ellis wrote: >> ... >>=20 >> I wanted to start a dialog about the possibility of moving to using >> SHA2 digests (I would presume SHA256 would be the preferred option) >> for signatures as SHA1 is deemed insecure by many and is being phased >> out for most usage of PKI. This includes my use case, where the >> crypto-service I have deliberately no longer offers signatures with >> SHA1 digests and instead offers standard SHA2 digests. >>=20 >> ... >=20 > I proposed this in 2015: >=20 > https://code.foxkit.us/adelie/packages/raw/ebuild/sys-apps/apk-tools/files= /apk-tools-2.6.6-use-sha256-signature.patch >=20 > We used this in very early builds of Ad=C3=A9lie, and in fact, alpha1 was > shipped with all packages signed using SHA-256. It wasn't accepted into > upstream apk-tools because there was no compatibility with SHA-1 > packages. I had considered making a backwards-compatible one (possibly > using SH2 instead of RSA as the file name), but life got in the way. >=20 > I'd be more than willing to work on this more if it is something the > community desires. This is great A. Wilcox! I for one think it would be a very worthwhile addit= ion. Though I think backward compatibility may be easier than changing the f= ile name. I=E2=80=99m not deeply familiar with all things OpenSSL, but my un= derstanding is that the signature is encoded in ASN1. If so then the signatu= re itself will state which hash was used! You could then simply have a confi= g somewhere for apk stating which hashes you trusted. Cheers, Ferris --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---