Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
apk-tools
apk-tools
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 60
    • Issues 60
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 15
    • Merge Requests 15
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • alpine
  • apk-toolsapk-tools
  • Issues
  • #10670

Closed
Open
Opened Jan 21, 2020 by Reid Rankin@reidrankin
  • Report abuse
  • New issue
Report abuse New issue

Package signatures should not use SHA-1

While investigating the APK format, I've realized that the signatures on packages are still done using SHA-1. This is odd, because the signature is over control.tar.gz -- which is bound to data.tar.gz using a SHA-256 hash. In any case, now that relatively inexpensive SHA-1 preimage attacks are publically known, we should move to eliminate the use of SHA-1 quickly.

While apk-tools/src/package.c seems to indicate some support for checking "RSA256" signatures, abuild will never make them, and I'm suspicious of apk_sign_ctx_init's seemingly exclusive use of SHA-1. And while we're at it, the APK-TOOLS.checksum.SHA1 tar attribute should probably be replaced (or augmented) with a SHA256 version. (Pretty sure this is just a change at abuild/abuild-tar:383)

Assignee
Assign to
v3.0
Milestone
v3.0
Assign milestone
Time tracking
None
Due date
None
0
Labels
None
Assign labels
  • View project labels
Reference: alpine/apk-tools#10670