On Mon, Nov 19, 2012 at 5:03 PM, Tarek Ziadé <[email protected]> wrote:
> On 11/19/12 11:01 PM, Daniel Holth wrote: > >> Unfortunately the whole signed mirror system falls down because it relies >> on md5 hashes >> (http://www.kb.cert.org/vuls/**id/836068<http://www.kb.cert.org/vuls/id/836068>) >> although the signing key seems to be long enough. What would it take to get >> SHA-2 (or 3) added? >> > No, the mirroring protocol use SHA http://www.python.org/dev/** > peps/pep-0381/#mirror-**authenticity<http://www.python.org/dev/peps/pep-0381/#mirror-authenticity> > > The md5 hash is only a crc-check added in the tarball url > The last step is just a bit outdated, that's all. To me it would seem quite harmless to change it to SHA-256 or better. 1. download the /simple page, and compute its SHA-1 hash 2. compute the DSA signature of that hash 3. download the corresponding /serversig, and compare it (byte-for-byte) with the value computed in step 2. 4. compute and verify (against the /simple page) the MD-5 hashes of all files they download from the mirror.
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
