This page tracks the progress in supporting debian/sha256sums in debian packages.
Rational
- MD5SUMS is considered weak nowadays
- The checksum has proven to be useful in the past (both for checking the integrity of installed files, to reduce the amount of data to backup, and for security reasons)
- Some users still want to rely on the checksum provided in the archive to validate the authenticity of files.
The SHA256 algorithm is used:
- FTP master already provides SHA1 and SHA256
- SHA-1 is supposed to have some flaws, that SHA2 don't have (yet;).
- Shipping both SHA1 and SHA256 would consume more space with little benefits.
Todo List
Policy
Before the release:
- add "can provide sha256sums"
After the release:
- Replace "should provide md5sums" with "can provide md5sums" and "should provide sha256sums"
Lintian
Same as policy... Before the release:
573088 - Allow and recommend sha256sums control file
After the release:
- Warn if debian/rules still use dh_md5sum
warn if grep "md5sum .*>.*md5sum" debian/rules
- warn if binary package don't contain debian/sha256sums
Build systems
debhelper
540215 - Introduce dh_checksums
cdbs
- Nothing to do during the transition period.
- Once dh_checksums is merged in debhelper, submit a patch to deprecate DEB_DH_CHECKSUMS_ARGS in favor of DEB_DH_MD5SUMS_ARGS.
- Once dh_checksums is common enough (and/or cdbs can depend on appropriate debhelper, replace the command dh_md5sums with dh_checksums in debhelper.mk.
checksum validation
debsums
TODO
Issues: prelink only has built-in MD5 or SHA1
dpkg
TODO
sha256sums file is saved in /var/lib/dpkg/info/
offline checking
- Write a tool to validate the checksums offline (i.e when the root partition is mounted as a slave)
Making checksum compulsory
Lintian has a test no-md5sums-control-file :
This package does not contain an md5sums control file. This control file listing the MD5 checksums of the contents of the package is not required, but if present debsums can use it to verify that no files shipped with your package have been modified. Providing it is recommended. If you are using debhelper to create your package, just add a call to dh_md5sums at the end of your binary-indep or binary-arch target, right before dh_builddeb.
See stats: http://lintian.debian.org/tags/no-md5sums-control-file.html
See 572571 packages SHOULD ship checksums (a-la dh_md5sums, but better)
FAQ
Lintian reports W: foobar: unknown-control-file sha256sums
- Lintian does not support SHA256 at this time. Make sure us use a version of Lintian with the patch above.
Beyond
Multiple SHA algorithm
Since SHA algorithms is a family, tools and API usually implement multiple variants. Wouter's initial email suggested to use the name shasums. I must admit I find this quite sensible for future improvements. People should be encourage to detect and support SHA-224 and better hash, even though we should only accept sha256 for now.
As I reviewed perl's shasum, I wondered whether we should force SHA256, or accept/autodetect the SHA algorithm, based on the hash length. they use:
Note: the program shasum , can use a checksum-file that contains checksum of different length, like:
ae535386ea2f0e6b12f574f2c9c87682a420036c /bin/dash 282909cfdb192cd32091c2a3e16ec6e42f910086ab1e17d10ccd117e0fd52698 /bin/bash
GPG clear-signed messages
I made some tests, and it seems that we could allow,but not require, GPG signed checksum-file. sha256sum will ignore invalid lines by default (unless you specify --warn option).
Similarly, the policy could state that GPG clear-signed shasum files are allowed. Tools using shasum should still strip the signature, especially when using the checksum for security purpose.
Stripping a gpg --clearsign message is as easy as:
sed -n -e '/^-----\(BEGIN PGP SIGNED MESSAGE\)-----/,/^-----[^\1]/s/^[[:xdigit:]]\{32,\}\s/\0/p' testfile.asc
/usr/share/cdbs/1/rules/debhelper.mk: dh_md5sums -p$(cdbs_curpkg) $(DEB_DH_MD5SUMS_ARGS)