mirror of
https://github.com/genodelabs/genode.git
synced 2025-01-30 08:03:59 +00:00
80b3994500
SHA1 is susceptible to collision attacks and is generally deprecated. Source code archives are particularly vulnerable because the hash digest can be tweaked by hiding by arbitrary data in code comments and files not processed during build. With this in mind the 'prepare_port' tool now attempts to verify digests as SHA256 with a fallback to SHA1. When CHECK_HASH=no is set the tool will refuse to verify digests as SHA1. The use of SHA1 for creating unique port versions is retained because the hashes are produced locally from inputs stored in a git history. Issue #2767