X-Original-To: alpine-devel@lists.alpinelinux.org Received: from mail-yb0-f170.google.com (mail-yb0-f170.google.com [209.85.213.170]) by lists.alpinelinux.org (Postfix) with ESMTP id A987C5C4EB7 for ; Wed, 7 Mar 2018 23:28:51 +0000 (GMT) Received: by mail-yb0-f170.google.com with SMTP id i5-v6so1411984yba.0 for ; Wed, 07 Mar 2018 15:28:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ferrisellis-com.20150623.gappssmtp.com; s=20150623; h=content-transfer-encoding:from:mime-version:subject:message-id:date :to; bh=SLWP5+XrIT+OifvloXdT2oi1C3ZrWjQcNnGAchoKbZ4=; b=L8qltRXU2RbKHvw4BJ7UnqJ+vBihTvBJ6xG7lkFK8FcrseLaql88HKZGLsD8woGngL 4SdZQ1Rj601x2gFgqiTqhZL9EKJ4PCIx44cLV1mgDzeBu8Z/jIrDoObhc5TFQbKkcdg+ mP0z51tSnV4Or7oRYeP0/PRM1TZHq3lTAxoyujFuw50L4EhKup0BIj4obMz0z9q++mGz ZZQQmM7CpnVZkpr5MWHB+O6KiRUiA8eD1xOgo3yL6bEBTtG9jwXttO1bkp7KM2Y8bMu0 o9T1RZ70isKkrpicJmt/NpNL8f+95R9i5yzRega0i4QWlXtM5hxbqwm9P3b+bbImKSkE 6UpQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:message-id:date:to; bh=SLWP5+XrIT+OifvloXdT2oi1C3ZrWjQcNnGAchoKbZ4=; b=GINE8g0R3BKJDSvJO2BaCPknoGLdRHu1+bSzZ632VTwaeq4ju8YdWMglLZ8n76MRNx VSWp0j9gnKHP0Rua8jiEEb34LOlbdmCzMz3oo6JWnX2ybYLSc79Yl9MRV+UW0flQXe9N FlIcrYEUgYek72KGgdxKIMuyCs+5vrIqBirA8nD6w3IvwvJVcziazmKlb8hNlR7DrxG/ JUXKrlTpOTRSqAQmbelLwPi5ueBtWO7aalVVH7WXvozt7uSMbxLaQQPkscxVnJfBoVmz WCXfKea/vvXR3GFNASKsLodz6TTMQmwTQdXy0NZWJAa4liJeJHmE8W/OsPf6eQvxexsk HREQ== X-Gm-Message-State: AElRT7FtIKNManHIU1Xp0xw4P8NgDsRXcaclaEnmUHwL3WwFf/8N02TK 8J+yq73VWb6yoiVwY6tP2XbcE+1f7Zo= X-Google-Smtp-Source: AG47ELu8oACqJz37zQ+0o4kiD18AtEKTW2shttwJcVvlE8y+3X59yARX0HLgoB50pOTEtVeebDkguQ== X-Received: by 2002:a25:37c4:: with SMTP id e187-v6mr10452140yba.75.1520465330842; Wed, 07 Mar 2018 15:28:50 -0800 (PST) Received: from [192.168.2.246] (c-73-120-111-204.hsd1.tn.comcast.net. [73.120.111.204]) by smtp.gmail.com with ESMTPSA id m184sm7272907ywe.98.2018.03.07.15.28.49 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Mar 2018 15:28:50 -0800 (PST) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 From: Ferris Ellis X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: Mime-Version: 1.0 (1.0) Subject: [alpine-devel] Upgrading package signatures from SHA1 to SHA2 digest. Message-Id: <257B6969-21FD-4D51-A8EC-95CB95CEF365@ferrisellis.com> Date: Wed, 7 Mar 2018 18:28:49 -0500 To: alpine-devel@lists.alpinelinux.org X-Mailer: iPad Mail (15C202) Dear alpine-devel mailing list, I was looking into using a crypto-service to do Apline package build signatu= res (as opposed to using a key on disk) and in doing so stumbled across the f= act that Alpine package signatures currently use SHA1 digests. After a quick= search on https://lists.alpinelinux.org I didn=E2=80=99t see any prior disc= ussions related to this fact and thus am posting this to the mailing list. I wanted to start a dialog about the possibility of moving to using SHA2 dig= ests (I would presume SHA256 would be the preferred option) for signatures a= s SHA1 is deemed insecure by many and is being phased out for most usage of P= KI. This includes my use case, where the crypto-service I have deliberately n= o longer offers signatures with SHA1 digests and instead offers standard SHA= 2 digests. If the community is interested I=E2=80=99m happy to submit a more formal RFC= on this. But, as I=E2=80=99m relatively new to the mailing list, I figured i= t was best to start with just a dialog! Cheers, Ferris --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---