Index: sa-update.raw =================================================================== --- sa-update.raw (revision 1840367) +++ sa-update.raw (working copy) @@ -96,8 +96,8 @@ BEGIN { # Deal with optional modules - eval { require Digest::SHA; import Digest::SHA qw(sha1_hex sha256_hex sha512_hex); 1 } and do { $have_sha256=1; $have_sha512=1 } - or do { require Digest::SHA1; import Digest::SHA1 qw(sha1_hex) }; + eval { require Digest::SHA; import Digest::SHA qw(sha256_hex sha512_hex); 1 } and do { $have_sha256=1; $have_sha512=1 } + or die "Unable to verify file hashes! You must install a modern version of Digest::SHA."; $have_lwp = eval { require LWP::UserAgent; @@ -598,15 +598,13 @@ my $content; my $SHA512; my $SHA256; - my $SHA1; my $GPG; if ($instfile) { - dbg("channel: using --install files $instfile\{,.sha1,.sha256,.sha512,.asc\}"); + dbg("channel: using --install files $instfile\{,.sha256,.sha512,.asc\}"); $content = read_install_file($instfile); if ( -s "$instfile.sha512" ) { $SHA512 = read_install_file($instfile.".sha512"); } if ( -s "$instfile.sha256" ) { $SHA256 = read_install_file($instfile.".sha256"); } - if ( -s "$instfile.sha1" ) { $SHA1 = read_install_file($instfile.".sha1"); } $GPG = read_install_file($instfile.".asc") if $GPG_ENABLED; } else { # not an install file, obtain fresh rules from network @@ -740,7 +738,7 @@ # Loop through all available mirrors, choose from them randomly # if the archive get fails, choose another mirror, - # if the get for the sha1 or gpg signature files, the channel fails + # if the get for the hash or gpg signature files fails, the channel fails while (my $mirror = choose_mirror(\%mirrors)) { my $result_fname; # Grab the data hash for this mirror, then remove it from the list @@ -787,18 +785,6 @@ dbg("channel: No sha256 file available from $mirror"); } - - # SHA1 of the archive file - $result_fname = http_get("$mirror/$newV.tar.gz.sha1", $UPDDir); - if ( -s $result_fname) { - $SHA1 = read_content($result_fname, 0); - last unless $SHA1; - $preserve_files{$result_fname} = 1; - } else { - undef $SHA1; - dbg("channel: No sha1 file available from $mirror"); - } - # if GPG is enabled, the GPG detached signature of the archive file if ($GPG_ENABLED) { $result_fname = http_get("$mirror/$newV.tar.gz.asc", $UPDDir); @@ -806,32 +792,15 @@ last unless $GPG; $preserve_files{$result_fname} = 1; } - last; } } - unless ($content && ( $SHA512 || $SHA256 || $SHA1 ) && (!$GPG_ENABLED || $GPG)) { + unless ($content && ( $SHA512 || $SHA256 ) && (!$GPG_ENABLED || $GPG)) { channel_failed("channel: could not find working mirror"); next; } - if ( $SHA1 ) { - # Validate the SHA1 signature before going forward with more complicated - # operations. - # The SHA1 file may be "signature filename" ala sha1sum, just use the signature - { local($1); - $SHA1 =~ /^([a-fA-F0-9]{40})/; - $SHA1 = $1 || 'INVALID'; - } - my $digest = sha1_hex($content); - dbg("sha1: verification wanted: $SHA1"); - dbg("sha1: verification result: $digest"); - unless ($digest eq $SHA1) { - channel_failed("channel: SHA1 verification failed"); - next; - } - } if ( $SHA512 ) { # Validate the SHA512 signature @@ -1151,7 +1120,7 @@ return 0; } - # if all went fine, remove the .tar.gz, .sha1 and .asc files + # if all went fine, remove the .tar.gz, .sha* and .asc files delete_files( grep(!m{/\QMIRRORED.BY\E\z}, keys %preserve_files) ); $channel_successes++; @@ -1897,7 +1866,8 @@ --channelfile file Retrieve updates from the channels in the file --checkonly Check for update availability, do not install --install filename Install updates directly from this file. Signature - verification will use "file.asc" and "file.sha1" + verification will use "file.asc", "file.sha256", + and "file.sha512". --allowplugins Allow updates to load plugin code --gpgkey key Trust the key id to sign releases Use multiple times for multiple keys @@ -1927,7 +1897,8 @@ I, which has updated rules since the previous release. -Update archives are verified using SHA1 hashes and GPG signatures, by default. +Update archives are verified using SHA256 and SHA512 hashes and GPG signatures, +by default. Note that C will not restart C or otherwise cause a scanner to reload the now-updated ruleset automatically. Instead, @@ -1975,10 +1946,10 @@ Install updates "offline", from the named tar.gz file, instead of performing DNS lookups and HTTP invocations. -Files named B.sha1 and B.asc will be used for the SHA-1 and GPG -signature, respectively. The filename provided must contain a version number -of at least 3 digits, which will be used as the channel's update version -number. +Files named B.sha256, B.sha512, and B.asc will be used for +the SHA256 and SHA512 hashes and the GPG signature, respectively. The filename +provided must contain a version number of at least 3 digits, which will be used +as the channel's update version number. Multiple B<--channel> switches cannot be used with B<--install>. To install multiple channels from tarballs, run C multiple times with different @@ -1995,11 +1966,11 @@ =item B<--gpg>, B<--nogpg> -sa-update by default will verify update archives by use of a SHA1 checksum -and GPG signature. SHA1 hashes can verify whether or not the downloaded -archive has been corrupted, but it does not offer any form of security -regarding whether or not the downloaded archive is legitimate (aka: -non-modifed by evildoers). GPG verification of the archive is used to +sa-update by default will verify update archives by use of SHA256 and SHA512 +checksums and GPG signature. SHA* hashes can verify whether or not the +downloaded archive has been corrupted, but it does not offer any form of +security regarding whether or not the downloaded archive is legitimate +(aka: non-modifed by evildoers). GPG verification of the archive is used to solve that problem. If you wish to skip GPG verification, you can use the B<--nogpg> option