Skip to content

GPG signatures are using SHA-1 digests #44714

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
glandium opened this issue Sep 20, 2017 · 1 comment
Closed

GPG signatures are using SHA-1 digests #44714

glandium opened this issue Sep 20, 2017 · 1 comment
Labels
C-enhancement Category: An issue proposing an enhancement or a PR with one. T-infra Relevant to the infrastructure team, which will review and decide on the PR/issue.

Comments

@glandium
Copy link
Contributor 

$ curl -sL https://static.rust-lang.org/dist/rustc-nightly-src.tar.gz.asc | gpg --list-packets
# off=0 ctb=89 tag=2 hlen=3 plen=540
:signature packet: algo 1, keyid 5CB4A9347B3B09DC
	version 4, created 1505866125, md5len 0, sigclass 0x00
	digest algo 2, begin of digest 3e 44
	hashed subpkt 2 len 4 (sig created 2017-09-20)
	subpkt 16 len 8 (issuer key ID 5CB4A9347B3B09DC)
	data: [4096 bits]

The relevant information there is "digest algo".
1 is MD5, 2 is SHA1, 8 is SHA256, 10 is SHA512. (see RFC 4880, 9.4 for all values)

Passing e.g. --personal-digest-preferences SHA256 to gpg would create a signature with digest algo 8. (or adding personal-digest-preferences SHA256 to the gpg config)
@est31 est31 mentioned this issue Sep 20, 2017
Merged
@Mark-Simulacrum Mark-Simulacrum added C-enhancement Category: An issue proposing an enhancement or a PR with one. T-infra Relevant to the infrastructure team, which will review and decide on the PR/issue. labels Sep 20, 2017
bors added a commit that referenced this issue Sep 22, 2017
@bors
Auto merge of #44720 - est31:master, r=alexcrichton
01b1d15 
Use SHA512 for signatures

Fixes #44714 . Untested but I hope it works... r? @alexcrichton
@est31
Copy link
Member

est31 commented Sep 24, 2017

Just verified it, its fixed now:

$ curl -sL https://static.rust-lang.org/dist/rustc-nightly-src.tar.gz.asc | gpg --list-packets
# off=0 ctb=89 tag=2 hlen=3 plen=540
:signature packet: algo 1, keyid 5CB4A9347B3B09DC
        version 4, created 1506211716, md5len 0, sigclass 0x00
        digest algo 10, begin of digest 1d dd
        hashed subpkt 2 len 4 (sig created 2017-09-24)
        subpkt 16 len 8 (issuer key ID 5CB4A9347B3B09DC)
        data: [4096 bits]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C-enhancement Category: An issue proposing an enhancement or a PR with one. T-infra Relevant to the infrastructure team, which will review and decide on the PR/issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@glandium @Mark-Simulacrum @est31