Bug 15119

Summary: Use a stronger cryptographic hash function to sign the ISO
Product: Mageia Reporter: Olivier Delaune <olivier.delaune>
Component: Release (media or process)Assignee: Anne Nicolas <ennael1>
Status: RESOLVED FIXED QA Contact:
Severity: enhancement    
Priority: Normal CC: sysadmin-bugs, tmb
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: CVE:
Status comment:

Description Olivier Delaune 2015-01-23 07:40:32 CET
Hello,
the ISO images are for now sign by MD5 and SHA-1 hash functions. Could these hash functions be replaced by a stonger hash function such as SHA-256. Indeed, it is known that the MD5 hash function is really weak (https://en.wikipedia.org/wiki/MD5#Security) and SHA-1 starts to be replaced by a stonger hash function such as SHA-256 for example  which will probably replace the signature of the website SSL certificates.

Ubuntu uses for now SHA-256.

I open this bug report to start the discussion. I am not really an expert about the cryptographic question but maybe you are :D

Reproducible: 

Steps to Reproduce:
David Walser 2015-01-23 12:47:44 CET

CC: (none) => sysadmin-bugs, tmb
Component: Security => Release (media or process)
Assignee: bugsquad => ennael1
QA Contact: security => (none)

Comment 1 Anne Nicolas 2016-12-11 19:34:06 CET
Using sha512 now

Status: NEW => RESOLVED
Resolution: (none) => FIXED