PPA (In)Release files use SHA1 digests for GPG signature
Bug #1556666 reported by
Julian Andres Klode
This bug affects 38 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
High
|
Colin Watson |
Bug Description
We are currently removing support for SHA1 in APT, which I think is reasonably with xenial being supported until 2021. In the process, I noticed that the InRelease files generated by launchpad uses SHA1 digests for the GPG signature. Please change that to SHA512 or SHA256 soon.
We might not start considering SHA1 as weak for the purpose of the GPG signatures yet, because that might break the hole world (various 3rd parties seem affected), but if we don't now, we might start doing that in a stable release update.
Related branches
lp:~cjwatson/launchpad/digest-algo-sha512
- William Grant (community): Approve (code)
-
Diff: 158 lines (+48/-23)2 files modifiedlib/lp/services/gpg/handler.py (+9/-7)
lib/lp/services/gpg/tests/test_gpghandler.py (+39/-16)
Changed in launchpad: | |
assignee: | nobody → Colin Watson (cjwatson) |
importance: | Undecided → High |
status: | New → In Progress |
tags: |
added: qa-ok removed: qa-needstesting |
affects: | launchpad → ubuntu |
To post a comment you must log in.
If possible, I strongly recommend using SHA-384, although I'm not sure if there are any potential compatibility challenges in doing so.
Like SHA-512, SHA-384 uses the same 512-bit internal state size, but because SHA-384 only exposes 384 bits of of this internal state in the digest, it's immune to length extension attacks:
https:/ /en.wikipedia. org/wiki/ Length_ extension_ attack
From page 87 of *Cryptography Engineering* by Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno:
"""
There is another fix to some of these weaknesses with the SHA-2 family of iterative hash functions: Truncate the output. If a hash function produces n-bit outputs, only use the first n - s bit as the hash value for some positive s. In fact, SHA-224 and SHA-384 both already do this; SHA-224 is roughly SHA-256 with 32 output bits dropped, and SHA-384 is roughly SHA-512 with 128 output bits dropped.
"""
They ultimately recommend using SHA-512 truncated to 256 bits (if you're going to use a SHA-2 hash), but that's not feasible in this case as GPG doesn't support truncated SHA-512.
In terms of standard SHA-2 family hash functions supported by GPG, SHA-384 is the best option in my opinion.
Note that I don't recommend SHA-224 as its 256-bit internal state size is too small by modern standards. SHA-384/SHA-512 are also considerably faster than SHA-224/SHA-256 when it comes to 64-bit software implementations.