Hi Ulrich, On Tue, Apr 5, 2022 at 10:15 PM Ulrich Mueller <u...@gentoo.org> wrote: > > >>>>> On Tue, 05 Apr 2022, Jason A Donenfeld wrote: > > > Huh. Something not brought up there or https://bugs.gentoo.org/784710 > > is the fact that the _security_ of the system reduces to SHA-512 as > > used by our GPG signatures. > > The hash algorithm would be the least of my concerns about the security > of these signatures. > > IIUC, the secret signing key is stored on a machine that is connected to > the network (Infra, please correct me if I'm wrong). So there are other > more likely attack vectors than a preimage attack on a 512 bit hash > function.
You missed the point, which is that having two hashes, SHA512 and BLAKE2b, doesn't actually help anything, since an attacker only must attack SHA512 in order to break the signature system, which is actually what we're relying on for security. Yes there are other attacks too on the signature system. But in terms of hashing, my point is that adding an additional hash to manifest files to the one used by the signature doesn't help anything from a security perspective, since if you have an attack on the signature's hash, then no additional hashing is going to actually help. Jason
