Home_greyopenFATE - openSUSE feature tracking > #306519
Dashboard | Search | Sign up | Login

Please login or register to be able to edit or vote this feature.

rpm support for new digest

Feature state

openSUSE-11.2
Rejected Information

Description

The signed rpm file is the only line of defense we have to protect our packages against tampering while in transit from us to the user/customer.

This line gets thinner because the successful attacks against SHA1 and MD5 continue and tools exist that allow easy manipulation since about a year.

The good news is that we use MD5 and SHA1 together and not one of this weak algorithms alone.

It is only a matter of time until somebody will be able to create a rpm file that fooles MD5 as well as SHA1. If this happens the rpm files of already released and supported products are vulnerable to manipulation.

rpm version 4.6.0 was released this month and supports alternative algorithms, like SHA256.

We should switch to this version as early as possible to avoid unnecessary costs in the future.

User benefit:

Example:
Crypto-analysis scientists improve their attacks and will be able to bypass MD5/SHA1 (hybrid) signatures at 2012. This means we have to adapt rpm, zypp and other tools to support SHA256 bring this new base utils to the customer and re-release the packages with a new signature.

Additionally we run in a hen-egg-problem because with the vulnerable libzypp/rpm tools at the client system it is not possible to guarantee the integrity of the new libzypp/rpm packages.

This will cause trouble and will cost valueable time. The risk and cost rises the longer we wait because more prodcuts will be affected more likely. Therefore it would be good to adapt the new rpm version for 11.2.

If it is too late to make this change it would be wise to deliver the new tools (rpm 4.6.0, what else?) additionally to the tools we need now to avoid the hen-egg-problem.

References

http://rpm.org/wiki/Releases/4.6.0

Discussion


icons/user_comment.png M. M. wrote: (8 years ago)

It is already done I think, when signing with RSA keys.

See Fate #4912

Last change: 8 years ago
Voting
Score: 2
  • Negative: 0
  • Neutral: 0
  • Positive: 2
Feature Export
Application-xmlXML   Text-x-logPlaintext   PrinterPrint