Artem Bityutskiy wrote:
>On Wed, 2013-08-14 at 11:44 +0200, Till Maas wrote:
>> On Wed, Aug 14, 2013 at 12:21:23PM +0300, Artem Bityutskiy wrote:
>> > On Wed, 2013-08-14 at 10:37 +0200, Till Maas wrote:
>> > > On Wed, Aug 14, 2013 at 09:31:22AM +0300, Artem Bityutskiy wrote:
>> > >
>> > > > Other things like reading from remote sites, progress
>> > > > indicator, protecting your mounted disks, uncompressing
>> > > > on-the-fly, checking sha1 of the data ond of the bmap file
>> > > > itself - are goodies, although important ones.
>> > >
>> > > Why sha1? If the check is there for security reasons, please use
>> > > at least sha256.
>> >
>> > Should not be difficult to implement if there is demand.
>>
>> SHA-256 is used to create the signatures of other distributed files:
>>
https://fedoraproject.org/static/checksums/Fedora-19-i386-CHECKSUM
>>
>> Therefore if bmap is used it should also use at least SHA 256. It is
>> recommended against using SHA-1 for more than 7 years now:
>>
http://csrc.nist.gov/groups/ST/hash/policy_2006.html
>
>Sure, good point, thank you, I'll implement sha-256 support.
Speaking of security, how is the integrity of the bmap file itself
verified? A checksum is of no use if you don't know who generated the
checksum. Fedora's checksum files are OpenPGP signed, as you can see in
the one that Till linked to. I don't see a cryptographic signature in
your example file. Are there detached signatures for the bmap files?
And does Bmaptool verify the signatures?
I've implemented gpg signature verification.
Now the bmap file can be gpg-signed and in this case bmaptool will
verify the signature. Both Fedora-like "clearsign" gpg signatures and
detached signatures are supported.
--
Best Regards,
Artem Bityutskiy