use SHA256 digest on signatures to avoid SHA1 collision attacks (issue #120)

2025-01-18 02:39:59 +00:00 · 2017-05-04 11:18:50 -04:00 · 2017-05-04 11:18:50 -04:00 · a5d4c65533
commit a5d4c65533
parent 2b2c00e594
1 changed files with 6 additions and 1 deletions
--- a/initrd/bin/qubes-update
+++ b/initrd/bin/qubes-update
@ -70,7 +70,12 @@ sha256sum \
 | tee "$BOOT_HASHES"

 for tries in 1 2 3; do
-	if gpg --detach-sign -a "$BOOT_HASHES"; then
+	if gpg \
+		--digest-algo SHA256 \
+		--detach-sign \
+		-a \
+		"$BOOT_HASHES" \
+	; then
 		mount -o ro,remount /boot
 		exit 0
 	fi