Merge pull request #1706 from xnox/main

sign: switch to SHA2-256 signature by default
chainguard-dev · Dec 13, 2024 · 13be2e5 · 13be2e5
2 parents 004666b + ba60467
commit 13be2e5
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 11 deletions.
diff --git a/Makefile b/Makefile
@@ -148,10 +148,12 @@ lint: checkfmt setup-golangci-lint ## Run linters and checks like golangci-lint
 .PHONY: unit
 unit:
 	go test ./... -race
+	SIGNING_DIGEST=SHA1 go test ./... -race
 
 .PHONY: integration
 integration:
 	go test ./... -race -tags=integration
+	SIGNING_DIGEST=SHA1 go test ./... -race -tags=integration
 
 .PHONY: test
 test: integration

diff --git a/e2e-tests/numpy-test.yaml b/e2e-tests/numpy-test.yaml
@@ -12,12 +12,12 @@ test:
     # TODO(pnasrat): fix to use multiple python
     contents:
       packages:
-        - python-3.12
+        - python-3.13
   pipeline:
     # Test import with command (python -c "import numpy")
     - uses: python/test
       with:
-        command: python3.12 -c "import numpy"
+        command: python3.13 -c "import numpy"
     # Test import directly (python -c "import numpy")
     - uses: python/import
       with:

diff --git a/pkg/build/sign.go b/pkg/build/sign.go
@@ -22,6 +22,21 @@ type ApkSigner interface {
 	SignatureName() string
 }
 
+var melangeApkDigest crypto.Hash
+
+func init() {
+	melangeApkDigest = crypto.SHA256
+	if digest, ok := os.LookupEnv("SIGNING_DIGEST"); ok {
+		switch digest {
+		case "SHA256":
+		case "SHA1":
+			melangeApkDigest = crypto.SHA1
+		default:
+			panic(fmt.Errorf("unsupported SIGNING_DIGEST"))
+		}
+	}
+}
+
 func EmitSignature(ctx context.Context, signer ApkSigner, controlData []byte, sde time.Time) ([]byte, error) {
 	_, span := otel.Tracer("melange").Start(ctx, "EmitSignature")
 	defer span.End()
@@ -73,12 +88,7 @@ type KeyApkSigner struct {
 	KeyPassphrase string
 }
 
-const melangeApkDigest = crypto.SHA1
-
-// const melangeApkDigest = crypto.SHA256
-
 func (s KeyApkSigner) Sign(control []byte) ([]byte, error) {
-
 	controlDigest, err := sign.HashData(control, melangeApkDigest)
 	if err != nil {
 		return nil, err

diff --git a/pkg/sign/apk_test.go b/pkg/sign/apk_test.go
@@ -54,10 +54,18 @@ func TestAPK(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	melangeApkDigest := crypto.SHA1
-	prefix := ".SIGN.RSA."
-	// melangeApkDigest := crypto.SHA256
-	// prefix := ".SIGN.RSA256."
+	melangeApkDigest := crypto.SHA256
+	prefix := ".SIGN.RSA256."
+	if digest, ok := os.LookupEnv("SIGNING_DIGEST"); ok {
+		switch digest {
+		case "SHA256":
+		case "SHA1":
+			melangeApkDigest = crypto.SHA1
+			prefix = ".SIGN.RSA."
+		default:
+			t.Fatalf("unsupported SIGNING_DIGEST")
+		}
+	}
 	if sigName != prefix+testPubkey {
 		t.Fatalf("unexpected signature name %s", sigName)
 	}