X-Original-To: alpine-devel@lists.alpinelinux.org
Received: from mail.wilcox-tech.com (mail.wilcox-tech.com [45.32.83.9])
	by lists.alpinelinux.org (Postfix) with ESMTP id 385125C4EB0
	for <alpine-devel@lists.alpinelinux.org>; Thu,  8 Mar 2018 00:07:42 +0000 (GMT)
Received: (qmail 3553 invoked from network); 8 Mar 2018 00:07:39 -0000
Received: from 107-131-85-28.lightspeed.tulsok.sbcglobal.net (HELO ?192.168.1.237?) (awilcox@wilcox-tech.com@107.131.85.28)
  by mail.wilcox-tech.com with ESMTPA; 8 Mar 2018 00:07:39 -0000
Subject: Re: [alpine-devel] Upgrading package signatures from SHA1 to SHA2
 digest.
To: alpine-devel@lists.alpinelinux.org
References: <257B6969-21FD-4D51-A8EC-95CB95CEF365@ferrisellis.com>
From: "A. Wilcox" <awilfox@adelielinux.org>
Organization: =?UTF-8?Q?Ad=c3=a9lie_Linux?=
Message-ID: <5417b964-e4d0-13c5-5f55-4c9c7eed1588@adelielinux.org>
Date: Wed, 7 Mar 2018 18:07:59 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.2.0
X-Mailinglist: alpine-devel
Precedence: list
List-Id: Alpine Development <alpine-devel.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-devel+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-devel@lists.alpinelinux.org>
List-Help: <mailto:alpine-devel+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-devel+subscribe@lists.alpinelinux.org?subject=subscribe>
MIME-Version: 1.0
In-Reply-To: <257B6969-21FD-4D51-A8EC-95CB95CEF365@ferrisellis.com>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="3RF8EVOlCUXoXSmnRMPGfF7oeMv4VMQuO"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--3RF8EVOlCUXoXSmnRMPGfF7oeMv4VMQuO
Content-Type: multipart/mixed; boundary="054p5LIB0KRBku62xnN6mTrmtKFS7cuke";
 protected-headers="v1"
From: "A. Wilcox" <awilfox@adelielinux.org>
To: alpine-devel@lists.alpinelinux.org
Message-ID: <5417b964-e4d0-13c5-5f55-4c9c7eed1588@adelielinux.org>
Subject: Re: [alpine-devel] Upgrading package signatures from SHA1 to SHA2
 digest.
References: <257B6969-21FD-4D51-A8EC-95CB95CEF365@ferrisellis.com>
In-Reply-To: <257B6969-21FD-4D51-A8EC-95CB95CEF365@ferrisellis.com>

--054p5LIB0KRBku62xnN6mTrmtKFS7cuke
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 03/07/18 17:28, Ferris Ellis wrote:
> Dear alpine-devel mailing list,
>=20
> I was looking into using a crypto-service to do Apline package build
> signatures (as opposed to using a key on disk) and in doing so
> stumbled across the fact that Alpine package signatures currently use
> SHA1 digests. After a quick search on https://lists.alpinelinux.org I
> didn=E2=80=99t see any prior discussions related to this fact and thus =
am
> posting this to the mailing list.
>=20
> I wanted to start a dialog about the possibility of moving to using
> SHA2 digests (I would presume SHA256 would be the preferred option)
> for signatures as SHA1 is deemed insecure by many and is being phased
> out for most usage of PKI. This includes my use case, where the
> crypto-service I have deliberately no longer offers signatures with
> SHA1 digests and instead offers standard SHA2 digests.
>=20
> If the community is interested I=E2=80=99m happy to submit a more forma=
l RFC
> on this. But, as I=E2=80=99m relatively new to the mailing list, I figu=
red it
> was best to start with just a dialog!
>=20
> Cheers, Ferris


I proposed this in 2015:

https://code.foxkit.us/adelie/packages/raw/ebuild/sys-apps/apk-tools/file=
s/apk-tools-2.6.6-use-sha256-signature.patch

We used this in very early builds of Ad=C3=A9lie, and in fact, alpha1 was=

shipped with all packages signed using SHA-256.  It wasn't accepted into
upstream apk-tools because there was no compatibility with SHA-1
packages.  I had considered making a backwards-compatible one (possibly
using SH2 instead of RSA as the file name), but life got in the way.

I'd be more than willing to work on this more if it is something the
community desires.

Best to you and yours,
--arw


--=20
A. Wilcox (awilfox)
Project Lead, Ad=C3=A9lie Linux
http://adelielinux.org


--054p5LIB0KRBku62xnN6mTrmtKFS7cuke--

--3RF8EVOlCUXoXSmnRMPGfF7oeMv4VMQuO
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJMBAEBCAA2FiEEjNyWOYPU1SaTSMHHyynLUZIrnRQFAlqgft8YHGF3aWxmb3hA
YWRlbGllbGludXgub3JnAAoJEMspy1GSK50Uu30P/3cRKkWfJaWEo1ibd9rCs7+e
nYfCZKgCifCl2nGlbgrNdY2ASFr7lV4kG28VwwiDZTWjU8KzvigvJagoPxmyqct6
kK46MjiJXBkcjaN5o2NZRR7G7QlYTaRyVmrQDPJoyVWYbkH4bW5824U1GnE83LnE
nAn6JCcBmKSZgJmu0bOat1kCV8awkNQXwEuRgapAI95KJxF8xHG1IDSaqJtB1aI4
YLz2gQibPdiMj3J+P9tQxVfv1YQuzrQj4zhYrsG75st/P/OX8o7ikcvAoi5yIVc2
Ucs1Nz54GVVadnBFQlD8d7O9OXWV4G0PsFOMu6XmBQGrYfCwfuFOsD63MH4Oj8wB
Wm7cnae+1MBY7CK9ReLPzunuLqv4m4fH9Rai/G8SqW4eriCqQVsoFcHavoypUg36
FZKcZqArZHr/uJdhcW7gvClEE75HIoqDbCRMEyONvBCwbEpLcxIgX/ZdJv/dFDY/
46RsERNOPh3hID2GmwCYWAIy31v+Buw+MYaSr6ZMre7rPewRXkcIO9kxsAVdusK5
Kc2yEGzlzgSAJR0SOf3p8I0aUfXwh/oCLWSdBzqUQLI8aYiuCJYguOE7r8Y3J1Zt
XPiB45Gd3XltrchMCp530QUYvCrXXr5l9AdrUh97suJgDXOdh1cs9BHfSGZvQxaH
Vt3C6hPQTF6IW3m4V4if
=xxTO
-----END PGP SIGNATURE-----

--3RF8EVOlCUXoXSmnRMPGfF7oeMv4VMQuO--


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---