SHA256SUMS signed with SHA1
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu CD Images |
Fix Released
|
High
|
Colin Watson |
Bug Description
The signature on, e.g. http://
Please migrate the signing procedure to use SHA256, at least for SHA256SUMS.
http://
% curl http://
Please enter name of data file: /dev/null
...
gpg: binary signature, digest algorithm SHA1
(Also, why are there "MD5SUMS-metalink", but no secure sums for the metalink files? Not as much of a security issue as the resultant files from the metalink downloads should be verified anyway.)
This will require migrating to a new non-DSA signing key (and signing with both old and new keys for a while). We should probably do that anyway, but the new key will need to be signed by the Ubuntu master signing key, which will take some organisation to arrange.
Regarding MD5SUMS-metalink, I think it would be helpful if you could file a separate bug for that, as that's related to code in Wubi.