Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.
Launchpad entry: https://blueprints.launchpad.net/distros/ubuntu/+spec/apt-sha256
Packages affected: apt, soyuz
The current hash method in apt to do authentication checking is md5. To improve security we want to switch this to sha256.
MD5 has serveral flaws that makes it not the best option to base our authentication on. SHA256 is a much stronger authentication hash algorithm.
APT needs to be modified to support sha256 for all verifications. No changes to the apt frontends are required. Soyuz needs to write sha256 checksums for the Release file.
The changes in apt should be done in a way that makes future changes to the used algorithm a lot easier than it is currently.
Some files lack a tag what hash algorithm is used (e.g. the "Files" tag in a .dsc file). A new tag "Files-SHA256" is added there.
The code in apt-pkg/acquire-item.cc should be changed so that it does not hardcode the use of md5 but uses a abstraction class instead. If the authentication hash is changed again, we just need to change this abstraction class. There is currently such a abstraction in the class Hashes from apt-pkg/contrib/hashes.h that is used in the fetcher but not in the authentication checking code for the indexfiles. This should be changed.
The Launchpad feature request is here https://launchpad.net/products/soyuz/+bug/71845
A working implementation can be found in http://people.ubuntu.com/~mvo/bzr/apt/sha256/
For source index files (.dsc files and Sources.gz) md5 is still used by default because the "File" tag does not carry the information what hash is used. This needs to be added to dpkg.
DanielHolbach: It'd be great to see a benchmark comparing MD5 and SHA256 in apt's use.