This page tracks the progress in supporting debian/sha256sums in debian packages.

Rational

The SHA256 algorithm is used:

  1. FTP master already provides SHA1 and SHA256
  2. SHA-1 is supposed to have some flaws, that SHA2 don't have (yet;).
  3. Shipping both SHA1 and SHA256 would consume more space with little benefits.

Todo List

Policy

Before the release:

After the release:

Lintian

Same as policy... Before the release:

After the release:

Build systems

debhelper

cdbs

checksum validation

debsums

Issues: prelink only has built-in MD5 or SHA1

dpkg

TODO

offline checking

Making checksum compulsory

Lintian has a test no-md5sums-control-file :

This package does not contain an md5sums control file. This control file listing the MD5 checksums of the contents of the package is not required, but if present debsums can use it to verify that no files shipped with your package have been modified. Providing it is recommended.

If you are using debhelper to create your package, just add a call to dh_md5sums at the end of your binary-indep or binary-arch target, right before dh_builddeb. 

FAQ

Lintian reports W: foobar: unknown-control-file sha256sums

Beyond

Multiple SHA algorithm

Since SHA algorithms is a family, tools and API usually implement multiple variants. Wouter's initial email suggested to use the name shasums. I must admit I find this quite sensible for future improvements. People should be encourage to detect and support SHA-224 and better hash, even though we should only accept sha256 for now.

As I reviewed perl's shasum, I wondered whether we should force SHA256, or accept/autodetect the SHA algorithm, based on the hash length. they use:

Note: the program shasum , can use a checksum-file that contains checksum of different length, like:

ae535386ea2f0e6b12f574f2c9c87682a420036c  /bin/dash
282909cfdb192cd32091c2a3e16ec6e42f910086ab1e17d10ccd117e0fd52698  /bin/bash

GPG clear-signed messages

I made some tests, and it seems that we could allow,but not require, GPG signed checksum-file. sha256sum will ignore invalid lines by default (unless you specify --warn option).

Similarly, the policy could state that GPG clear-signed shasum files are allowed. Tools using shasum should still strip the signature, especially when using the checksum for security purpose.

Stripping a gpg --clearsign message is as easy as:

sed -n -e '/^-----\(BEGIN PGP SIGNED MESSAGE\)-----/,/^-----[^\1]/s/^[[:xdigit:]]\{32,\}\s/\0/p' testfile.asc