Opened 7 years ago

Closed 6 years ago

#9930 closed defect (invalid)

SHA-1 is weak: Use better hash to generate signatures

Reported by: mkral Owned by:
Priority: Medium Milestone:
Component: Webpages/Website Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Please upgrade the signatures on the web page
https://www.torproject.org/download/download-easy.html.en

The current package signatures use SHA-1. Other open source project are also in process of upgrading to stronger hashes.

http://www.debian-administration.org/users/dkg/weblog/48
https://www.apache.org/dev/openpgp.html#sha1

Child Tickets

Change History (6)

comment:1 Changed 7 years ago by nickm

Summary: SHA-1 is weakSHA-1 is weak: Use better hash to generate signatures

If the signatures on the website start using a better hash, which versions of gnupg will be able to check them? I support this, so long as we're not going to start depending on a very rare gnupg version.

comment:2 in reply to:  1 Changed 6 years ago by mkral

Replying to nickm:

If the signatures on the website start using a better hash, which versions of gnupg will be able to check them? I support this, so long as we're not going to start depending on a very rare gnupg version.

According to Gnupg changelog, read-only support for SHA-256 hash, SHA-384 and SHA-512 hashes was added in in version 1.3.2 (2003-05-27). Full (read/write) support for the SHA-256 hash has been added in version 1.3.3 (2003-10-10)

In version Gnupg 1.4.10 (2009-09-02). The default hash algorithm preferences has changed to prefer SHA-256 over SHA-1.

comment:3 Changed 6 years ago by gk

This will be fixed by #13407. We intend to use the new key from the next release on.

comment:4 in reply to:  3 ; Changed 6 years ago by gk

Replying to gk:

This will be fixed by #13407. We intend to use the new key from the next release on.

To make that clear: I am speaking here about Tor Browser which the bug seems to be about and not the tor releases.

comment:5 in reply to:  4 Changed 6 years ago by mkral

Replying to gk:

Replying to gk:

This will be fixed by #13407. We intend to use the new key from the next release on.

To make that clear: I am speaking here about Tor Browser which the bug seems to be about and not the tor releases.

For example verification of https://www.torproject.org/dist/tor-0.2.5.10.tar.gz , https://www.torproject.org/dist/tor-0.2.5.10.tar.gz.asc
using RSA key 0x910397D88D29319A

 gpg --verbose --verify tor-0.2.5.10.tar.gz.asc

gpg: binary signature, digest algorithm SHA1

comment:6 Changed 6 years ago by Sebastian

Resolution: invalid
Status: newclosed

Please file bugs against the concrete subprojects that fail to provide signatures with a stronger has algorithm starting with their next release.

Note: See TracTickets for help on using tickets.