Can we use sha2 instead of md5 in pack_firmware.sh versions? |
||
Issue descriptionThis script produces a version file with md5 checksums of the images. Can or should we use sha2 instead? It would be more secure. https://cs.corp.google.com/search/?q=f:pack_firmware.sh+md5&type=cs
,
Feb 24 2017
And I didn't know about the SHA-1 collision when I suggested this in the review, even. :-P
,
Feb 25 2017
Those MD5 sum were just for people to help checking what they have put, and we don't really use it when unpacking, so I see no security impact, especially the ebuild Manifest already has multiple hash checksum. People may try to repack on chroot, on DUT (cros release image), or on deskop (ubuntu or debian) md5 was selected because it's more widely available. If you are changing the algorithm you have to find one that is compatible for all environments.
,
Mar 14 2017
OK it seems like it is OK as is. Thank you. |
||
►
Sign in to add a comment |
||
Comment 1 by sjg@chromium.org
, Feb 24 2017