Closed
Bug 421012
Opened 18 years ago
Closed 18 years ago
update nightly AUS scripts to use sha1 or stronger encryption for hashes
Categories
(AUS Graveyard :: Systems, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
4.x (triaged)
People
(Reporter: morgamic, Assigned: joduinn)
References
()
Details
Attachments
(2 files, 1 obsolete file)
|
9.23 KB,
patch
|
Details | Diff | Splinter Review | |
|
26.18 KB,
patch
|
Details | Diff | Splinter Review |
Currently update RDFs output hash sums created with md5 (see URL).
We should get this updated to use sha1 or better, especially for release updates.
|
Reporter | |
Updated•18 years ago
|
Group: webtools-security
|
|
Reporter | |
Comment 1•18 years ago
|
||
Added security flag, but it's not a secret that we use md5 for nightlies -- remove if you feel appropriate.
|
|
Reporter | |
Comment 2•18 years ago
|
||
Normal releases are indeed SHA1:
https://aus2.mozilla.org/update/2/Firefox/2.0.0.8/2007100816/Darwin_Universal-gcc3/en-US/release/Darwin%208.11.1/update.xml?force=1
|
||
Comment 3•18 years ago
|
||
SHA-1 has been compromised. Can we use SHA-256?
|
||
Comment 4•18 years ago
|
||
FF2 nightlies use sha1:
https://aus2.mozilla.org/update/2/Firefox/2.0.0.13pre/2008030203/WINNT_x86-msvc/en-US/nightly/Windows_NT%205.1/update.xml?force=1
Why would the trunk have gone "backwards" in hash quality?
What's used for trunk and FF2 release updates?
sha1 is OK for now. At some point the attacks will get better and we'll have to use sha-256. Cygwin contains the sha256sum utility so it should be easy to get on unix-based systems too.
|
|
||
Updated•18 years ago
|
Summary: update AUS scripts to use sha1 or stronger encryption for hashes → update nightly AUS scripts to use sha1 or stronger encryption for hashes
|
|
||
Comment 5•18 years ago
|
||
Trunk betas are SHA1 as well:
https://aus2.mozilla.org/update/1/Firefox/3.0b1/2007110903/Linux_x86-gcc3/pl/beta/update.xml
Looks like MD5 is only in use for trunk nightlies, as far as I can tell.
|
|
||
Comment 6•18 years ago
|
||
wip patch on updating all the tools to use SHA-256 by default
|
|
||
Comment 7•18 years ago
|
||
Swap Firefox on Mac, Thunderbird on Mac, and Thunderbird on win32 to sha1 for now.
Attachment #307409 -
Flags: review?(rhelmer)
|
|
||
Comment 8•18 years ago
|
||
Comment on attachment 307408 [details] [diff] [review]
wip
Couple of questions I had when working on this.
> def calc_file_sha_digest(self, filename):
> """ Returns sha digest of given filename"""
> file_content = open(filename, 'r').read()
>- return sha.new(file_content).digest()
>+ return hashlib.sha256(file_content).hexdigest()
Why is that using digest() currently instead of hexdigest()? I can use digest() here, but I'm just wondering why it was being used in the first place.
> metadata.append({
...
>- 'to_sha1sum':to_shasum,
>- 'from_sha1sum':from_shasum,
>- 'partial_sha1sum':partial_shasum,
>+ 'to_sha256sum':to_shasum,
>+ 'from_sha256sum':from_shasum,
>+ 'partial_sha256sum':partial_shasum,
...
Where is this used? I'll need to update whatever uses this metadata for the new names of things, or I could swap to something more generic...
|
|
Reporter | |
Comment 9•18 years ago
|
||
Dan -- since we're changing this anyway why not use sha512?
|
||
Comment 10•18 years ago
|
||
Seems to be some conflation of nightly and release systems here.
Nightly completes use whatever hash the tinderbox is set to, so attachment 307409 [details] [diff] [review] would be a step in the right direction. Partials inherit from the completes so we only need to set tinderbox to use sha1 for the quick fix. I think attachment 307409 [details] [diff] [review] is incomplete though, because we also need to fix:
MOZILLA_1_8_0_BRANCH/firefox/macosx
MOZILLA_1_8_0_BRANCH/thunderbird/win32
MOZILLA_1_8_BRANCH/thunderbird/macosx
MOZILLA_1_8_BRANCH_release/thunderbird/macosx
release/firefox/macosx (this doesn't mean release updates are using md5)
The proposed changes to the release scripts and tinderbox won't function as is, because the openssl available on various machines doesn't support sha-256 or higher. There should also be a change to mozilla/tools/tinderbox-defaults.pl.
|
|
||
Updated•18 years ago
|
Attachment #307409 -
Flags: review?(rhelmer) → review+
|
|
||
Comment 11•18 years ago
|
||
Attachment #307409 -
Attachment is obsolete: true
|
Assignee | |
Comment 12•18 years ago
|
||
Is there anything else left to do here, or can we close this?
|
|
||
Comment 13•18 years ago
|
||
(In reply to comment #12)
> Is there anything else left to do here, or can we close this?
Are you all still interested in using something stronger than SHA-1 since SHA-1 has already been broken? If so, see the wip patch.
|
|
Reporter | |
Comment 14•18 years ago
|
||
Can we settle on SHA-1 until after fx3?
|
|
Assignee | |
Comment 15•18 years ago
|
||
(In reply to comment #14)
> Can we settle on SHA-1 until after fx3?
+1
Based on comment#4, it seemed like sha-1 was good enough for now, and in this bug, we just wanted to bring trunk nightly updates up-to-par with the rest of the build systems. That work is landed, aiui.
If you want to, please file a separate bug on changing all build systems to use a different algorithm for update hashsums; however, I think thats beyond the scope of this bug, and not something we want to take on right now at this point in the FF3 release.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
|
||
Updated•17 years ago
|
Group: webtools-security → update-security
|
|
||
Comment 16•17 years ago
|
||
Filed bug 472790 on finishing the job and moving to a SHA-2 hash.
Blocks: 472790
Group: client-services-security
You need to log in
before you can comment on or make changes to this bug.
Description
•