Uploaded image for project: 'Ivy'
  1. Ivy
  2. IVY-1554

Please add additional checksum algorithms

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.4.0
    • Fix Version/s: 2.5.0-rc1
    • Component/s: Core
    • Labels:

      Description

      Apache Ivy provides two algorithms (SHA-1 and MD5) to verify correctness of files in repository. MD5 is known to be unsafe for a while, which is no problem because also SHA-1 is suppported. As of yesterday SHA-1 is also broken (e.g. http://hackaday.com/2017/02/23/shattered-sha-1-is-broken/).

      To ensure correctness of our artifacts, please extend those algorithms with SHA-256 and or SHA-512.

      MessageDigests are computed in class
      https://git-wip-us.apache.org/repos/asf?p=ant-ivy.git;a=blob;f=src/java/org/apache/ivy/util/ChecksumHelper.java;h=56aa936296fa9fbd9699432f041e06a9e588a618;hb=HEAD
      using MessageDigest.getInstance(mdAlgorithm). It should be no problem to extend the list of allowed algorithms, because at least with JDK/JRE 6 SHA-512 is supported (see https://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#MessageDigest).

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                hibou Nicolas Lalevée
                Reporter:
                Andreas F Andreas Felder
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: