[
https://issues.apache.org/jira/browse/IVY-1554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16015570#comment-16015570
]
ASF GitHub Bot commented on IVY-1554:
-------------------------------------
GitHub user jaikiran opened a pull request:
https://github.com/apache/ant-ivy/pull/19
IVY-1554 - Add (conditional) support for SHA-256 SHA-512 and SHA-384
checksum algorithms
The commit here adds support for SHA-256, SHA-512 and SHA-384 algorithms as
requested in https://issues.apache.org/jira/browse/IVY-1554.
These algorithms are added to the "known/supported algorithms", that Ivy
uses to verify and publish checksums, only if the underlying Java runtime
supports those. Starting Java 6 all these 3 are standard supported algorithms,
but we haven't yet finalized what the minimum required Java runtime is going to
be for the next Ivy release. Hence the conditional check for now.
Furthermore, although the feature doesn't mandate Java 6 runtime, the
testcases that I have added do require Java 6 runtime to pass. I can make those
tests conditional too, but decided not to at this point. Let me know if I have
to.
Finally, I decided to use the algorithm keys as-is i.e. `SHA-256`,
`SHA-512` and `SHA-384` instead of using aliases like we do for `SHA-1` (we use
`sha1` as the checksum name there). What this effectively means for Ivy
checksum verification and publishing is that the checksum files will have an
extension like `original-file.SHA-256`. I haven't found any well known
conventions for file name extensions for these algorithm checksum files, so I
just decided to go ahead with this convention.
With this commit, the complete list of supported checksum algorithms are:
- md5
- sha1
- MD5
- SHA-1
- SHA-256
- SHA-512
- SHA-384
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/jaikiran/ant-ivy ivy-1554
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/ant-ivy/pull/19.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #19
----
commit d8c3ef1363fd2c9d88df1093db4fe04340bedec6
Author: Jaikiran Pai <[email protected]>
Date: 2017-05-18T10:39:06Z
IVY-1554 Add support for SHA-256 SHA-512 and SHA-384 checksum algorithms if
the underlying Java runtime supports it
----
> Please add additional checksum algorithms
> -----------------------------------------
>
> Key: IVY-1554
> URL: https://issues.apache.org/jira/browse/IVY-1554
> Project: Ivy
> Issue Type: Improvement
> Components: Core
> Affects Versions: 2.4.0
> Reporter: Andreas Felder
> Priority: Critical
> Labels: security
>
> Apache Ivy provides two algorithms (SHA-1 and MD5) to verify correctness of
> files in repository. MD5 is known to be unsafe for a while, which is no
> problem because also SHA-1 is suppported. As of yesterday SHA-1 is also
> broken (e.g. http://hackaday.com/2017/02/23/shattered-sha-1-is-broken/).
> To ensure correctness of our artifacts, please extend those algorithms with
> SHA-256 and or SHA-512.
> MessageDigests are computed in class
> https://git-wip-us.apache.org/repos/asf?p=ant-ivy.git;a=blob;f=src/java/org/apache/ivy/util/ChecksumHelper.java;h=56aa936296fa9fbd9699432f041e06a9e588a618;hb=HEAD
> using {{MessageDigest.getInstance(mdAlgorithm)}}. It should be no problem to
> extend the list of allowed algorithms, because at least with JDK/JRE 6
> SHA-512 is supported (see
> https://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#MessageDigest).
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
