#language en ##~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: none-~ ##---- This page tracks the progress in supporting {{{debian/sha256sums}}} in debian packages. ## If your page gets really long, uncomment this Table of Contents ## <> == Rational == * MD5SUMS is considered weak nowadays * The checksum has proven to be useful in the past (both for checking the integrity of installed files, to reduce the amount of data to backup, and for security reasons) * Some users still want to rely on the checksum provided in the archive to validate the authenticity of files. The SHA256 algorithm is used: 1. FTP master already provides SHA1 and SHA256 2. SHA-1 is supposed to have some flaws, that SHA2 don't have (yet;). 3. Shipping both SHA1 and SHA256 would consume more space with little benefits. == Todo List == === Policy === __Before the release:__ * add "can provide sha256sums" __After the release:__ * Replace "should provide md5sums" with "can provide md5sums" and "should provide sha256sums" === Lintian === Same as policy... __Before the release:__ {OK} DebianBug:573088 - Allow and recommend sha256sums control file __After the release:__ * Warn if debian/rules still use dh_md5sum * warn if {{{grep "md5sum .*>.*md5sum" debian/rules}}} * warn if binary package don't contain debian/sha256sums === Build systems === ==== debhelper ==== {OK} DebianBug:540215 - Introduce dh_checksums ''TODO'' compute checksum of {{{preinst}}},{{{postinst}}},{{{prerm}}},{{{postrm}}} ==== cdbs ==== {OK} - Nothing to do during the transition period. {*} - Once dh_checksums is merged in debhelper, submit a patch to deprecate {{{DEB_DH_CHECKSUMS_ARGS}}} in favor of {{{DEB_DH_MD5SUMS_ARGS}}}. {{{#!wiki comment /usr/share/cdbs/1/rules/debhelper.mk: dh_md5sums -p$(cdbs_curpkg) $(DEB_DH_MD5SUMS_ARGS) }}} {*} - Once dh_checksums is common enough (and/or cdbs can depend on appropriate debhelper, replace the command {{{dh_md5sums}}} with {{{dh_checksums}}} in {{{debhelper.mk}}}. === checksum validation === ==== debsums ==== * ''TODO'' Issues: --(DebianMan:prelink only has built-in MD5 or SHA1)-- . prelink has already been removed. from buster. === dpkg === ''TODO'' (./) {{{sha256sums}}} file is saved in {{{/var/lib/dpkg/info/}}} ==== offline checking ==== * Write a tool to validate the checksums offline (i.e when the root partition is mounted as a slave) ## You can add other _helpful_ links here. ##== See also == == Making checksum compulsory == Lintian has a test {{{no-md5sums-control-file}}} : {{{ This package does not contain an md5sums control file. This control file listing the MD5 checksums of the contents of the package is not required, but if present debsums can use it to verify that no files shipped with your package have been modified. Providing it is recommended. If you are using debhelper to create your package, just add a call to dh_md5sums at the end of your binary-indep or binary-arch target, right before dh_builddeb. }}} * See stats: http://lintian.debian.org/tags/no-md5sums-control-file.html * See DebianBug:572571 packages SHOULD ship checksums (a-la dh_md5sums, but better) == FAQ == '''Lintian reports {{{W: foobar: unknown-control-file sha256sums}}}''' Lintian does not support SHA256 at this time. Make sure us use a version of Lintian with the patch above. == Beyond == === Multiple SHA algorithm === Since SHA algorithms is a family, tools and API usually implement multiple variants. Wouter's [[http://lists.debian.org/debian-devel/2010/03/msg00038.html|initial email]] suggested to use the name shasums. I must admit I find this quite sensible for future improvements. People should be encourage to detect and support SHA-224 and better hash, even though we should only accept sha256 for now. As I reviewed perl's DebianMan:shasum, I wondered whether we should force SHA256, or accept/autodetect the SHA algorithm, based on the hash length. they use: {{{#!highlight perl # %len2alg: maps hex digest length to SHA algorithm my %len2alg = (40 => 1, 56 => 224, 64 => 256, 96 => 384, 128 => 512) }}} Note: the program DebianMan:shasum , can use a checksum-file that contains checksum of different length, like: {{{ ae535386ea2f0e6b12f574f2c9c87682a420036c /bin/dash 282909cfdb192cd32091c2a3e16ec6e42f910086ab1e17d10ccd117e0fd52698 /bin/bash }}} {{{#!wiki comment/dotted Please note that while perl's shasum is flexible in choosing an SHA algorithm, it's considerably slower that its contenders: > checksum of a 1 MB file over 100 runs: > shasum COUNT: 100 TIME: 38 seconds - perl > openssl COUNT: 100 TIME: 7 seconds - openssl > sha1sum COUNT: 100 TIME: 1 seconds - coreutils }}} === OpenPGP clear-signed messages === I made some tests, and it seems that we could allow,but not require, OpenPGP signed checksum-file. sha256sum will ignore invalid lines by default (unless you specify --warn option). Similarly, the policy could state that OpenPGP clear-signed shasum files are allowed. Tools using shasum should still strip the signature, especially when using the checksum for security purpose. Stripping a {{{gpg --clearsign}}} message is as easy as: {{{#!hightlight bash sed -n -e '/^-----\(BEGIN PGP SIGNED MESSAGE\)-----/,/^-----[^\1]/s/^[[:xdigit:]]\{32,\}\s/\0/p' testfile.asc }}} ---- ## If this page belongs to an existing Category, add it below. ## CategorySomething | CategoryAnother