On 3/8/22 15:23, Neal Gompa wrote: > On Tue, Mar 8, 2022 at 3:11 PM Simo Sorce <simo@xxxxxxxxxx> wrote: >> >> On Tue, 2022-03-08 at 20:51 +0100, Zbigniew Jędrzejewski-Szmek wrote: >>> On Tue, Mar 08, 2022 at 07:40:15PM +0100, Alexander Sosedkin wrote: >>>> the only realistic way to weed out its reliance on SHA-1 signatures >>>> from all of its numerous dark corners is to break them. >>>> Make creation and verification fail in default configuration. >>> >>> That sounds like a terrible plan. We should make newer hashes >>> the default, and we can make tools print a warning if sha1 is used >>> where it shouldn't, but please don't break things on purpose. >>> >>> For many many things sha1 is just fine. Just like md5 or even >>> crc32. Not everything is about cryptographic security. >> >> I would like to make it clear that this is just for *Cryptographic >> Signatures*, this is not a plan to block SHA-1 for all uses. >> >> And for Cryptographic Signatures everything is about cryptography and >> SHA-1 is not safe anymore. >> >> And to be extra clear this means: Certificates, TLS session setup, >> DNSSEC (although a lot of signatures are still SHA-1 based there ...), >> VPNs session establishment, PGP, etc... >> >>> Also, users will want to verify old signatures essentially forever. >> >> This is only reasonable for stuff like emails, where you may have a >> reasonable expectation that the archived messages have not been >> tampered with after the fact. Allowing verification of signatures with >> SHA-1 for any "online" communication would be pointless. >> >>> This should be always possible. And finally, the world is huge, >>> and other users will provide sha1 signatures no matter what we do, >>> and it is better to check those than to completely ignore them. >> >> We need to move the needle at some point. We will be able to set LEGACY >> crypto policies to allow SHA-1 verification, but we need to be First >> and Secure here as well. >> > > Did we check to make sure such a change won't break Fedora's *own* GPG > keys and the GPG keys of preferred third party repositories? It was a > very unpleasant surprise to have all of CentOS' *second-party* keys > break with that change. Fedora’s RPM package signatures are safe, and have been since at least Fedora 25 if not earlier. I can confirm that every single package in the Fedora 25 and Fedora 32 archives are signed with SHA-256 or later, and presumably the same holds for all releases since Fedora 25. Qubes OS’s rpmcanon tool can be used to check if a package is signed with SHA-1: it will return an `InsecureAlgorithm` error for such packages unless the `--allow-weak-hashes` flag is passed. It does so by parsing the signatures itself before passing them to RPM. -- Sincerely, Demi Marie Obenour (she/her/hers)
Attachment:
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
