storage: change Artifact checksum to SHA256 #487

relu · 2021-11-11T21:47:26Z

This changes the format of the Artifact checksum from SHA1 to SHA256 to
mitigate chosen-prefix and length extension attacks, and ensures it can
be used to secure content against malicious modifications.

Source consumers (including our own {kustomize,helm}-controllers)
should ensure the SHA256 of a downloaded artifact matches the
advertised checksum before making use of it.

Cherry-picked from reconcilers-dev.

Fixes #467.

This changes the format of the Artifact checksum from SHA1 to SHA256 to mitigate chosen-prefix and length extension attacks, and ensures it can be used to secure content against malicious modifications. Source consumers (including our own {kustomize,helm}-controllers) should ensure the SHA256 of a downloaded artifact matches the advertised checksum before making use of it. Signed-off-by: Hidde Beydals <hello@hidde.co>

relu requested a review from hiddeco November 11, 2021 21:47

relu force-pushed the sha256-backport branch from 4685443 to fb688ff Compare November 11, 2021 21:47

hiddeco approved these changes Nov 11, 2021

View reviewed changes

stefanprodan approved these changes Nov 12, 2021

View reviewed changes

stefanprodan merged commit e810969 into main Nov 12, 2021

stefanprodan deleted the sha256-backport branch November 12, 2021 07:12

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

storage: change Artifact checksum to SHA256 #487

storage: change Artifact checksum to SHA256 #487

relu commented Nov 11, 2021 •

edited

Loading

storage: change Artifact checksum to SHA256 #487

storage: change Artifact checksum to SHA256 #487

Conversation

relu commented Nov 11, 2021 • edited Loading

relu commented Nov 11, 2021 •

edited

Loading