tarball signature digest algorithm

Discussion:

Andreas Stieger

2014-09-14 14:45:55 UTC

Hello,

while packaging postfix 2.11.1 I noticed that the corresponding pgp/gpg
signature is generated using the md5 digest algorithm. MD5 is now
disabled as an acceptable digest method for signatures for source
tarballs of openSUSE packages. Would it be possible to re-issue the
signature using a SHA-1 or any of the SHA-2 family?

Many thanks,
Andreas Stieger

Wietse Venema

2014-09-14 15:06:54 UTC

Permalink

Post by Andreas Stieger
Hello,
while packaging postfix 2.11.1 I noticed that the corresponding pgp/gpg
signature is generated using the md5 digest algorithm. MD5 is now
disabled as an acceptable digest method for signatures for source
tarballs of openSUSE packages. Would it be possible to re-issue the
signature using a SHA-1 or any of the SHA-2 family?

Thanks for checking the signature. MD5 is good enough for Postfix
tarballs, since there are no known second pre-image attacks. It has
the significant benefit that it is supported by every existing PGP
implementation.

What does this have to do with openSUSE source-code tarballs?

Wietse

Graham Leggett

2014-09-14 15:25:36 UTC

Permalink

Post by Wietse Venema
Thanks for checking the signature. MD5 is good enough for Postfix
tarballs, since there are no known second pre-image attacks. It has
the significant benefit that it is supported by every existing PGP
implementation.

At httpd we hash twice, once with md5 and once with sha1.

Regards,
Graham
--

Andreas Stieger

2014-09-14 15:35:41 UTC

Permalink

Hello,

The crypto is understood. You may however be interested to know that gpg
since 2.0.23 rejects MD5 signatures by default. From
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=NEWS;h=88c667be68a59f3eb8c373ebd6bf8f023a2d314e;hb=refs/heads/STABLE-BRANCH-2-0#l54

Post by Wietse Venema
* gpg: Reject signatures made using the MD5 hash algorithm unless the
new option --allow-weak-digest-algos or --pgp2 are given.
What does this have to do with openSUSE source-code tarballs?

Our package build system checks your signatures against your tarballs,
the verification fails due to the MD5 signature, obviously also because
none of the above compatibility options are used on our side.

If at all possible I would appreciate a more modern digest algorithm to
be used as far as it works with the compatibility concerns you mentioned.

Thanks,
Andreas

Wietse Venema

2014-09-14 15:50:11 UTC

Permalink

Post by Andreas Stieger
Hello,

The crypto is understood. You may however be interested to know that gpg
since 2.0.23 rejects MD5 signatures by default. From

Thereby hindering the validation of past documents.

Post by Andreas Stieger

Post by Wietse Venema
What does this have to do with openSUSE source-code tarballs?

I see. You could of course turn on those options. I have no plans
to re-sign already-released tarballs.

Post by Andreas Stieger
If at all possible I would appreciate a more modern digest algorithm to
be used as far as it works with the compatibility concerns you mentioned.

I can update the packaging script to issue multiple PGP signatures.
What suffix do you suggest for sha512-based PGP signatures? I have
no plans to stop issuing the traditional MD5-based .sig files.

Wietse

Andreas Stieger

2014-09-14 16:22:23 UTC

Permalink

Hello,

Post by Wietse Venema
I see. You could of course turn on those options. I have no plans
to re-sign already-released tarballs.

Understood.

Post by Wietse Venema

Post by Andreas Stieger
If at all possible I would appreciate a more modern digest algorithm to
be used as far as it works with the compatibility concerns you mentioned.

I can update the packaging script to issue multiple PGP signatures.
What suffix do you suggest for sha512-based PGP signatures? I have
no plans to stop issuing the traditional MD5-based .sig files.

That will be fine. I do not know if there is an established pattern for
this, but I suggest postfix-${VERSION}.tar.gz.asc as a straightforward way.

Thanks,
Andreas

Wietse Venema

2014-09-14 16:42:19 UTC

Permalink

Post by Andreas Stieger
Hello,

Post by Wietse Venema
I see. You could of course turn on those options. I have no plans
to re-sign already-released tarballs.

Understood.

However, I would appreciate it if you could verify that the attached
file works as expected.

Wietse

Andreas Stieger

2014-09-14 16:49:25 UTC

Permalink

Hello,

Post by Wietse Venema
However, I would appreciate it if you could verify that the attached
file works as expected.

It does, please see below.

$ gpg -v --verify postfix-2.11.1.tar.gz.asc
Version: GnuPG v1.4.12 (FreeBSD)
gpg: armor header:
gpg: assuming signed data in `postfix-2.11.1.tar.gz'
gpg: Signature made Sun 14 Sep 2014 17:40:35 BST using RSA key ID C12BCD99
gpg: using classic trust model
gpg: Good signature from "Wietse Venema <***@porcupine.org>"
Primary key fingerprint: FF 96 4A 8C 96 88 7C 6E A4 EF AD BF 48 34 E1 BB
gpg: binary signature, digest algorithm SHA512

Thanks,
Andreas

Viktor Dukhovni

2014-09-14 17:14:43 UTC

Permalink

Post by Wietse Venema
However, I would appreciate it if you could verify that the attached
file works as expected.

With gpg from macports on MacOSX:

Previous signature:

$ GNUPGHOME="${PWD}" gpg --verify postfix-2.11.1.tar.gz.sig
gpg: Signature made Wed May 7 13:46:50 2014 EDT using RSA key ID C12BCD99
gpg: WARNING: digest algorithm MD5 is deprecated
gpg: please see http://www.gnupg.org/faq/weak-digest-algos.html for more information
gpg: Good signature from "Wietse Venema <***@porcupine.org>"

New signature:

$ GNUPGHOME="${PWD}" gpg --verify postfix-2.11.1.tar.gz.asc
gpg: Signature made Sun Sep 14 12:40:35 2014 EDT using RSA key ID C12BCD99
gpg: Good signature from "Wietse Venema <***@porcupine.org>"

--
Viktor.

Wietse Venema

2014-09-14 17:18:14 UTC

Permalink

Post by Viktor Dukhovni
$ GNUPGHOME="${PWD}" gpg --verify postfix-2.11.1.tar.gz.asc
gpg: Signature made Sun Sep 14 12:40:35 2014 EDT using RSA key ID C12BCD99

Fine. Having two digests will make the pre-image attacks much harder.

Wietse