X-Original-To: alpine-devel@lists.alpinelinux.org Received: from mail-lf0-f54.google.com (mail-lf0-f54.google.com [209.85.215.54]) by lists.alpinelinux.org (Postfix) with ESMTP id E86B05C4EA8 for ; Thu, 8 Mar 2018 12:53:59 +0000 (GMT) Received: by mail-lf0-f54.google.com with SMTP id z128-v6so1948535lff.2 for ; Thu, 08 Mar 2018 04:53:59 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=30VKZun4e13andD/4xGDbeZtYBRvKLELe2lWespxrLc=; b=AFPOlROOKx/z2BhemhnXQqhPsnlK+uGaY5K1Ukc5ZQNgCgPi9j8kW7UW8e+CjShqlZ MCk+4xcVm9Ej3PfUwJ/FrcTiEV/l94bhax4Ax472Wes3BUrsA3dWRrXeMSaan4GJ3FR8 Um+kDdWZCPHNs4M/MAvv1Jtgdn4+DW5brL8m372MVjOz07cDfgMArXO2dLOndd6/nJj4 ZAV5fXys4QWZgXZl75xuvTb1x+1XPwj1Iux92+8cq+wC12QusOktKVKCPYsWrAI6+eHo 8miWGGhDeE5OPgP5JOdCnBeXscjT4F8E5Gxx5ySGYWTSDP9Wo4vfoqSjo7daIoYMZ8Gf CCkg== X-Gm-Message-State: AElRT7FM3EryMGG9p7ln2Pxei7FVzQYEVVikgno6sYDp4JX2FMJrzZnj 6WOUgcQb0BVR0APdE3zdA3m+Z9Ki X-Google-Smtp-Source: AG47ELtXb/OOn4VqfkGc3+OJDi1Nleh9AUOSE/g1zUOzPfIdn5PzChUQ0TRxWo8urrZo+m5w0UanDw== X-Received: by 10.25.119.27 with SMTP id s27mr16480725lfc.138.1520513638927; Thu, 08 Mar 2018 04:53:58 -0800 (PST) Received: from vostro.util.wtbts.net ([2001:1bc8:101:f402:e66f:13ff:fef3:8cd0]) by smtp.gmail.com with ESMTPSA id p67sm4081901ljb.95.2018.03.08.04.53.58 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 08 Mar 2018 04:53:58 -0800 (PST) Date: Thu, 8 Mar 2018 14:53:56 +0200 From: Timo Teras To: Ferris Ellis Cc: alpine-devel@lists.alpinelinux.org Subject: Re: [alpine-devel] Upgrading package signatures from SHA1 to SHA2 digest. Message-ID: <20180308145356.6355eafe@vostro.util.wtbts.net> In-Reply-To: <257B6969-21FD-4D51-A8EC-95CB95CEF365@ferrisellis.com> References: <257B6969-21FD-4D51-A8EC-95CB95CEF365@ferrisellis.com> X-Mailer: Claws Mail 3.15.1-dirty (GTK+ 2.24.31; x86_64-alpine-linux-musl) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi On Wed, 7 Mar 2018 18:28:49 -0500 Ferris Ellis wrote: > I was looking into using a crypto-service to do Apline package build > signatures (as opposed to using a key on disk) and in doing so > stumbled across the fact that Alpine package signatures currently use > SHA1 digests. After a quick search on https://lists.alpinelinux.org I > didn=E2=80=99t see any prior discussions related to this fact and thus am > posting this to the mailing list. >=20 > I wanted to start a dialog about the possibility of moving to using > SHA2 digests (I would presume SHA256 would be the preferred option) > for signatures as SHA1 is deemed insecure by many and is being phased > out for most usage of PKI. This includes my use case, where the > crypto-service I have deliberately no longer offers signatures with > SHA1 digests and instead offers standard SHA2 digests. >=20 > If the community is interested I=E2=80=99m happy to submit a more formal = RFC > on this. But, as I=E2=80=99m relatively new to the mailing list, I figure= d it > was best to start with just a dialog! I have been working to update .apk and index formats to binary. I was hoping to do the hash algorithm change there. While I do have the design ready, and some code too, it's taking a bit more than expected. I am willing to accept backwards compatible patches at this point even for the current formats. The signatures could be pretty easily updated. Just add a new prefix type to identify the signatures as rsa-sha256 or similar. However, sign only the control.tar.gz part of apk. That in turn contains hash for the control.tar.gz part containing the package metadata. Changing this 'identity hash' from sha1 to sha256 would be more intrusive. Same applies to the individual file checksums kept in the file database for audit purposes. However, control.tar.gz does have stronger hash (sha256) for data.tar.gz which contains the actual file data content. Timo --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---