15119 – Use a stronger cryptographic hash function to sign the ISO

Bug 15119 - Use a stronger cryptographic hash function to sign the ISO

Summary: Use a stronger cryptographic hash function to sign the ISO

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Release (media or process) (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: enhancement
Target Milestone:	---
Assignee:	Anne Nicolas
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2015-01-23 07:40 CET by Olivier Delaune
Modified:	2016-12-11 19:34 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Olivier Delaune 2015-01-23 07:40:32 CET

Hello,
the ISO images are for now sign by MD5 and SHA-1 hash functions. Could these hash functions be replaced by a stonger hash function such as SHA-256. Indeed, it is known that the MD5 hash function is really weak (https://en.wikipedia.org/wiki/MD5#Security) and SHA-1 starts to be replaced by a stonger hash function such as SHA-256 for example  which will probably replace the signature of the website SSL certificates.

Ubuntu uses for now SHA-256.

I open this bug report to start the discussion. I am not really an expert about the cryptographic question but maybe you are :D

Reproducible: 

Steps to Reproduce:

David Walser 2015-01-23 12:47:44 CET

CC: (none) => sysadmin-bugs, tmb
Component: Security => Release (media or process)
Assignee: bugsquad => ennael1
QA Contact: security => (none)

Comment 1 Anne Nicolas 2016-12-11 19:34:06 CET

Using sha512 now

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.