sign: switch to SHA2-256 signature by default

Switch to SHA2-256 signature by default for the `melange sign` command. Use the same runtime opt-out back to SHA1 signatures as apko. With apko from: - chainguard-dev/apko#1440 This will use RSA256 signature type for both .apk & APKINDEX.tar.gz signing.
chainguard-dev · Dec 13, 2024 · 3d1b7b3 · 3d1b7b3
1 parent 004666b
commit 3d1b7b3
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 9 deletions.
diff --git a/Makefile b/Makefile
@@ -148,10 +148,12 @@ lint: checkfmt setup-golangci-lint ## Run linters and checks like golangci-lint
 .PHONY: unit
 unit:
 	go test ./... -race
+	SIGNING_DIGEST=SHA1 go test ./... -race
 
 .PHONY: integration
 integration:
 	go test ./... -race -tags=integration
+	SIGNING_DIGEST=SHA1 go test ./... -race -tags=integration
 
 .PHONY: test
 test: integration

diff --git a/pkg/build/sign.go b/pkg/build/sign.go
@@ -22,6 +22,21 @@ type ApkSigner interface {
 	SignatureName() string
 }
 
+var melangeApkDigest crypto.Hash
+
+func init() {
+	melangeApkDigest = crypto.SHA256
+	if digest, ok := os.LookupEnv("SIGNING_DIGEST"); ok {
+		switch digest {
+		case "SHA256":
+		case "SHA1":
+			melangeApkDigest = crypto.SHA1
+		default:
+			panic(fmt.Errorf("unsupported SIGNING_DIGEST"))
+		}
+	}
+}
+
 func EmitSignature(ctx context.Context, signer ApkSigner, controlData []byte, sde time.Time) ([]byte, error) {
 	_, span := otel.Tracer("melange").Start(ctx, "EmitSignature")
 	defer span.End()
@@ -73,12 +88,7 @@ type KeyApkSigner struct {
 	KeyPassphrase string
 }
 
-const melangeApkDigest = crypto.SHA1
-
-// const melangeApkDigest = crypto.SHA256
-
 func (s KeyApkSigner) Sign(control []byte) ([]byte, error) {
-
 	controlDigest, err := sign.HashData(control, melangeApkDigest)
 	if err != nil {
 		return nil, err

diff --git a/pkg/sign/apk_test.go b/pkg/sign/apk_test.go
@@ -54,10 +54,18 @@ func TestAPK(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	melangeApkDigest := crypto.SHA1
-	prefix := ".SIGN.RSA."
-	// melangeApkDigest := crypto.SHA256
-	// prefix := ".SIGN.RSA256."
+	melangeApkDigest := crypto.SHA256
+	prefix := ".SIGN.RSA256."
+	if digest, ok := os.LookupEnv("SIGNING_DIGEST"); ok {
+		switch digest {
+		case "SHA256":
+		case "SHA1":
+			melangeApkDigest = crypto.SHA1
+			prefix = ".SIGN.RSA."
+		default:
+			t.Fatalf("unsupported SIGNING_DIGEST")
+		}
+	}
 	if sigName != prefix+testPubkey {
 		t.Fatalf("unexpected signature name %s", sigName)
 	}