spdx-spec icon indicating copy to clipboard operation
spdx-spec copied to clipboard

Published 20 hours ago verified publisher icon spdx

Permit SHA256 to be optionally used rather than SHA1 as "mandatory" file hash

Open swinslow opened this issue 6 years ago • 5 comments

(reference to related but different issue #11: Deprecating SHA1)

Sections 4.4.3 and 4.4.4 of the spec currently read:

4.4.3 Cardinality: Mandatory, one SHA1, others may be optionally provided. 4.4.4 Algorithm: SHA1() is to be used on the file. Other algorithms that can be provided optionally include SHA256(), MD5().

Because of the option to include SHA256 hashes, applications that are concerned about SHA1 weaknesses can use SHA256. However, 4.4.3 would still require them to include SHA1 hashes in the document as well.

Is there any reason not to change 4.4.3 to something like: "Mandatory, one SHA1 or SHA256, others may be optionally provided"?

This is likely a breaking change (and therefore more appropriate for 3.0 rather than 2.2). It would mean that a valid SPDX document could omit all SHA1 hashes, while a 2.x reader can expect to find SHA1 hashes present.

swinslow avatar Jan 07 '19 14:01 swinslow

If we're considering breaking changes, I would go all the way and propose no restrictions on which algorithms have to be there:

Cardinality: Mandatory, one or many.

zvr avatar Jan 07 '19 18:01 zvr

Fully agree =) Sounds good to me.

swinslow avatar Jan 08 '19 18:01 swinslow

Yes, changing the default would be a 3.0 rather than 2.2 issue.

kestewart avatar Jan 08 '19 21:01 kestewart

One comment on this, which I just realized: The current algorithm for the Package Verification Code is based on calculating a SHA1 sum from the sorted SHA1 values for all Files in that Package. If SHA1 were no longer mandatory, then those SHA1 values could not be assumed to be present in the document. This would likely mean that the Package Verification Code algorithm would need to change.

swinslow avatar Dec 06 '19 19:12 swinslow

One comment on this, which I just realized: The current algorithm for the Package Verification Code is based on calculating a SHA1 sum from the sorted SHA1 values for all Files in that Package. If SHA1 were no longer mandatory, then those SHA1 values could not be assumed to be present in the document. This would likely mean that the Package Verification Code algorithm would need to change.

Can the spec state that the Package Verification Code needs to be calculated using the algorithm that was used to calculate the checksum of the files in that package? So when validating, we check the PackageChecksum's algorithm and use the same one to verify the Package Verification Code.

nishakm avatar Mar 18 '20 20:03 nishakm

We no longer require a specific file hash in 3.0.

Closing this specific issue.

If we want to include a specific file hash, please open a new PR (soon) as it would be a breaking change.

cc: @kestewart

goneall avatar Apr 04 '24 17:04 goneall