Bug 11660

Summary:	Mirror list is signed with SHA1
Product:	Pakfire	Reporter:	Peter Müller <peter.mueller>
Component:	Base	Assignee:	Michael Tremer <michael.tremer>
Status:	CLOSED FIXED	QA Contact:	Peter Müller <peter.mueller>
Severity:	Security
Priority:	- Unknown -
Version:	unspecified
Hardware:	all
OS:	All
See Also:	https://bugzilla.ipfire.org/show_bug.cgi?id=11345 https://bugzilla.ipfire.org/show_bug.cgi?id=11539

Description Peter Müller 2018-03-03 21:33:57 UTC

The mirror list (https://mirror1.ipfire.org/pakfire2/2.19/lists/server-list.db) is signed with SHA1, which is a security risk. We should move to SHA256 here.

As far as I am concerned, GnuPG 1.4.x can handle SHA2-signatures, so that should not crash anything.

Comment 1 Michael Tremer 2018-03-06 12:59:24 UTC

I changed the digest algorithm from SHA1 to SHA512 since all systems should
support this anyway.

We will soon re-sign all packages. Lists are already updated and new packages
will be signed with the new algorithm.

We do NOT encrypt packages. We only sign them. Compression is now removed, too
since this is implemented in the packages now and was quite slow.

Comment 2 Peter Müller 2018-03-17 12:39:34 UTC

Fixed. Thanks very much. :-)