Bug 11660

Summary: Mirror list is signed with SHA1
Product: Pakfire Reporter: Peter Müller <peter.mueller>
Component: BaseAssignee: Michael Tremer <michael.tremer>
Status: CLOSED FIXED QA Contact: Peter Müller <peter.mueller>
Severity: Security    
Priority: - Unknown -    
Version: unspecified   
Hardware: all   
OS: All   
See Also: https://bugzilla.ipfire.org/show_bug.cgi?id=11345
https://bugzilla.ipfire.org/show_bug.cgi?id=11539

Description Peter Müller 2018-03-03 21:33:57 UTC
The mirror list (https://mirror1.ipfire.org/pakfire2/2.19/lists/server-list.db) is signed with SHA1, which is a security risk. We should move to SHA256 here.

As far as I am concerned, GnuPG 1.4.x can handle SHA2-signatures, so that should not crash anything.
Comment 1 Michael Tremer 2018-03-06 12:59:24 UTC
I changed the digest algorithm from SHA1 to SHA512 since all systems should
support this anyway.

We will soon re-sign all packages. Lists are already updated and new packages
will be signed with the new algorithm.

We do NOT encrypt packages. We only sign them. Compression is now removed, too
since this is implemented in the packages now and was quite slow.
Comment 2 Peter Müller 2018-03-17 12:39:34 UTC
Fixed. Thanks very much. :-)