Bug 11660 - Mirror list is signed with SHA1
Summary: Mirror list is signed with SHA1
Status: CLOSED FIXED
Alias: None
Product: Pakfire
Classification: Unclassified
Component: Base (show other bugs)
Version: unspecified
Hardware: all All
: - Unknown - Security
Assignee: Michael Tremer
QA Contact: Peter Müller
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-03-03 21:33 UTC by Peter Müller
Modified: 2018-03-17 12:39 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Müller 2018-03-03 21:33:57 UTC 
The mirror list (https://mirror1.ipfire.org/pakfire2/2.19/lists/server-list.db) is signed with SHA1, which is a security risk. We should move to SHA256 here.

As far as I am concerned, GnuPG 1.4.x can handle SHA2-signatures, so that should not crash anything.
Comment 1 Michael Tremer 2018-03-06 12:59:24 UTC 
I changed the digest algorithm from SHA1 to SHA512 since all systems should
support this anyway.

We will soon re-sign all packages. Lists are already updated and new packages
will be signed with the new algorithm.

We do NOT encrypt packages. We only sign them. Compression is now removed, too
since this is implemented in the packages now and was quite slow.
Comment 2 Peter Müller 2018-03-17 12:39:34 UTC 
Fixed. Thanks very much. :-)