From fb688ffe8add35e0f9027632c5c1b6e46723e09d Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Mon, 9 Aug 2021 20:48:25 +0200 Subject: [PATCH] storage: change Artifact checksum to SHA256 This changes the format of the Artifact checksum from SHA1 to SHA256 to mitigate chosen-prefix and length extension attacks, and ensures it can be used to secure content against malicious modifications. Source consumers (including our own {kustomize,helm}-controllers) should ensure the SHA256 of a downloaded artifact matches the advertised checksum before making use of it. Signed-off-by: Hidde Beydals --- api/v1beta1/artifact_types.go | 2 +- config/crd/bases/source.toolkit.fluxcd.io_buckets.yaml | 2 +- .../bases/source.toolkit.fluxcd.io_gitrepositories.yaml | 4 ++-- config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml | 2 +- .../bases/source.toolkit.fluxcd.io_helmrepositories.yaml | 2 +- controllers/storage.go | 8 ++++---- docs/api/source.md | 2 +- 7 files changed, 11 insertions(+), 11 deletions(-) diff --git a/api/v1beta1/artifact_types.go b/api/v1beta1/artifact_types.go index c7ddffce..3fd0d2df 100644 --- a/api/v1beta1/artifact_types.go +++ b/api/v1beta1/artifact_types.go @@ -39,7 +39,7 @@ type Artifact struct { // +optional Revision string `json:"revision"` - // Checksum is the SHA1 checksum of the artifact. + // Checksum is the SHA256 checksum of the artifact. // +optional Checksum string `json:"checksum"` diff --git a/config/crd/bases/source.toolkit.fluxcd.io_buckets.yaml b/config/crd/bases/source.toolkit.fluxcd.io_buckets.yaml index a64e98b4..d56295d1 100644 --- a/config/crd/bases/source.toolkit.fluxcd.io_buckets.yaml +++ b/config/crd/bases/source.toolkit.fluxcd.io_buckets.yaml @@ -99,7 +99,7 @@ spec: description: Artifact represents the output of the last successful Bucket sync. properties: checksum: - description: Checksum is the SHA1 checksum of the artifact. + description: Checksum is the SHA256 checksum of the artifact. type: string lastUpdateTime: description: LastUpdateTime is the timestamp corresponding to the last update of this artifact. diff --git a/config/crd/bases/source.toolkit.fluxcd.io_gitrepositories.yaml b/config/crd/bases/source.toolkit.fluxcd.io_gitrepositories.yaml index f6f523ed..13e03e21 100644 --- a/config/crd/bases/source.toolkit.fluxcd.io_gitrepositories.yaml +++ b/config/crd/bases/source.toolkit.fluxcd.io_gitrepositories.yaml @@ -154,7 +154,7 @@ spec: description: Artifact represents the output of the last successful repository sync. properties: checksum: - description: Checksum is the SHA1 checksum of the artifact. + description: Checksum is the SHA256 checksum of the artifact. type: string lastUpdateTime: description: LastUpdateTime is the timestamp corresponding to the last update of this artifact. @@ -223,7 +223,7 @@ spec: description: Artifact represents the output of a source synchronisation. properties: checksum: - description: Checksum is the SHA1 checksum of the artifact. + description: Checksum is the SHA256 checksum of the artifact. type: string lastUpdateTime: description: LastUpdateTime is the timestamp corresponding to the last update of this artifact. diff --git a/config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml b/config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml index fe40562b..250b2e7b 100644 --- a/config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml +++ b/config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml @@ -116,7 +116,7 @@ spec: description: Artifact represents the output of the last successful chart sync. properties: checksum: - description: Checksum is the SHA1 checksum of the artifact. + description: Checksum is the SHA256 checksum of the artifact. type: string lastUpdateTime: description: LastUpdateTime is the timestamp corresponding to the last update of this artifact. diff --git a/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml b/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml index 4409c0f9..5ff669a6 100644 --- a/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml +++ b/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml @@ -83,7 +83,7 @@ spec: description: Artifact represents the output of the last successful repository sync. properties: checksum: - description: Checksum is the SHA1 checksum of the artifact. + description: Checksum is the SHA256 checksum of the artifact. type: string lastUpdateTime: description: LastUpdateTime is the timestamp corresponding to the last update of this artifact. diff --git a/controllers/storage.go b/controllers/storage.go index 139e999c..d765e430 100644 --- a/controllers/storage.go +++ b/controllers/storage.go @@ -19,7 +19,7 @@ package controllers import ( "archive/tar" "compress/gzip" - "crypto/sha1" + "crypto/sha256" "fmt" "hash" "io" @@ -421,7 +421,7 @@ func (s *Storage) Symlink(artifact sourcev1.Artifact, linkName string) (string, return url, nil } -// Checksum returns the SHA1 checksum for the data of the given io.Reader as a string. +// Checksum returns the SHA256 checksum for the data of the given io.Reader as a string. func (s *Storage) Checksum(reader io.Reader) string { h := newHash() _, _ = io.Copy(h, reader) @@ -447,7 +447,7 @@ func (s *Storage) LocalPath(artifact sourcev1.Artifact) string { return path } -// newHash returns a new SHA1 hash. +// newHash returns a new SHA256 hash. func newHash() hash.Hash { - return sha1.New() + return sha256.New() } diff --git a/docs/api/source.md b/docs/api/source.md index 78aee678..8caec265 100644 --- a/docs/api/source.md +++ b/docs/api/source.md @@ -856,7 +856,7 @@ string (Optional) -

Checksum is the SHA1 checksum of the artifact.

+

Checksum is the SHA256 checksum of the artifact.