Bug 493315 - FEAT: add sha256sum to coreutils
FEAT: add sha256sum to coreutils
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: coreutils (Show other bugs)
4.8
All Linux
medium Severity medium
: rc
: ---
Assigned To: Ondrej Vasik
qe-baseos-daemons
: FutureFeature, Reopened
Depends On:
Blocks: 494835
  Show dependency treegraph
 
Reported: 2009-04-01 07:58 EDT by Patrick C. F. Ernzer
Modified: 2011-02-16 09:09 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Although newer ISO images frequently use the SHA-256 algorithm for their checksums, it was not easily possible to verify such checksums on Red Hat Enterprise Linux 4. To target this issue, this updated package contains checksum utilities for the whole SHA-2 family, allowing a user to count or verify SHA-224, SHA-256, SHA-384, and SHA-512 sums.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-02-16 09:09:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0230 normal SHIPPED_LIVE coreutils bug fix and enhancement update 2011-02-15 11:35:18 EST

  None (edit)
Description Patrick C. F. Ernzer 2009-04-01 07:58:35 EDT
Description of problem:
Starting with Fedora 11 we use sha256sum to generate the checksum files for ISO images. As it would seem quite common for people to use an existing fileserver to install Fedora 11 and RHEL6 from, we really should include sha256sum in the coreutils RPM of all supported RHEL releases.

Version-Release number of selected component (if applicable):
coreutils-5.2.1-31.8.el4_7.1

How reproducible:
always

Steps to Reproduce:
1. be proactive and test Fedora 11 Beta to catch bugs before RHEL 6
2. download F11 Beta ISOs
3. try to verify checksum
  
Actual results:
checksum file is clearly not sha1 or md5, the sums are too long. the fact that the GPG signed file has 'SHA1' inside has been discussed on fedora-test-list@redhat.com and will be remedied.

But, now knowing that these are sha256 sums, I am unable to check them on my RHEL 4.7 fileserver (which serves up F11 Beta for my test installs)

Expected results:
RHEL4's coreutils needs to include sha256sum if we (rightly) use strong hashes to checksum ISOs for Fedora and RHEL from now on

Additional info:
for RHEL3 I presume we will not bother pushing sha256sum into coreutils.
for RHEL5, if it also lacks sha256sum, then please clone bug so we track RHEL4 and RHEL5 separately.
Comment 1 Ondrej Vasik 2009-04-01 08:26:05 EDT
RHEL-5 has sha256sum utility included, it should be not very hard to backport all sha<whatever>sum utilities from there or Fedora's. There is RHEL-4.8 coreutils update in RELEASE_PENDING status which resolved all of the RHEL-4 coreutils bugzillas, so maybe the best would be to add those new binaries into that update... But I'm afraid it's too late now ...
Comment 3 RHEL Product and Program Management 2009-04-02 13:15:21 EDT
Quality Engineering Management has reviewed and declined this request.  You may
appeal this decision by reopening this request.
Comment 8 Milan Kerslager 2009-10-04 04:45:02 EDT
As SHA1 should not be used in the meantime in favor of SHA2 I please to include all remaining SHA into the RHEL4.
Comment 11 Tony Stocker 2010-03-24 12:15:02 EDT
Due to requirements of the US Federal Government (see information below) we are required to use the SHA2 family of hash algorithms rather than SHA1.  However we have a sizeable investment in RHEL4 platforms with no path to RHEL5 for them in the future, and expect to continue running them for as long as possible unless some new mysterious funding source appears.

Since the federal government is requiring SHA2 support, could you please put these utilities in the RHEL4 stream.

"March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224, SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all applications using secure hash algorithms. Federal agencies should stop using SHA-1 for digital signatures, digital time stamping and other applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010. After 2010, Federal agencies may use SHA-1 only for the following applications: hash-based message authentication codes (HMACs); key derivation functions (KDFs); and random number generators (RNGs). Regardless of use, NIST encourages application and protocol designers to use the SHA-2 family of hash functions for all new applications and protocols."

Source [http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html]
Comment 12 Ondrej Vasik 2010-03-24 12:28:56 EDT
I agree that support for SHA2 family hash functions would be big enhancement - as you could e.g. check checksums of newly created iso's. Federal government requirements is other reason. 
Anyway - bugzilla is not support channel for RHEL - it is just bug tracking system. If you want to enhance chance of getting SHA-2 family <hash>sum utilities, please contact product support to give increase priority of that bugzilla.
Comment 19 Jaromir Hradilek 2010-10-06 19:30:48 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Although newer ISO images frequently use the SHA-256 algorithm for their checksums, it was not easily possible to verify such checksums on Red Hat Enterprise Linux 4. To target this issue, this updated package contains checksum utilities for the whole SHA-2 family, allowing a user to count or verify SHA-224, SHA-256, SHA-384, and SHA-512 sums.
Comment 22 errata-xmlrpc 2011-02-16 09:09:58 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0230.html

Note You need to log in before you can comment on or make changes to this bug.