sign: drop support for creating SHA-1 signatures (#1748)

This removes support for creating SHA-1 signatures via melange.
chainguard-dev · Feb 28, 2025 · 094b4f1 · 094b4f1
1 parent 3337f81
commit 094b4f1
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 40 deletions.
diff --git a/Makefile b/Makefile
@@ -128,8 +128,8 @@ fmt: ## Format all go files
 checkfmt: SHELL := /usr/bin/env bash
 checkfmt: ## Check formatting of all go files
 	@ $(MAKE) --no-print-directory log-$@
- 	$(shell test -z "$(shell gofmt -l $(GOFILES) | tee /dev/stderr)")
- 	$(shell test -z "$(shell goimports -l $(GOFILES) | tee /dev/stderr)")
+	$(shell test -z "$(shell gofmt -l $(GOFILES) | tee /dev/stderr)")
+	$(shell test -z "$(shell goimports -l $(GOFILES) | tee /dev/stderr)")
 
 log-%:
 	@grep -h -E '^$*:.*?## .*$$' $(MAKEFILE_LIST) | \
@@ -148,12 +148,10 @@ lint: checkfmt setup-golangci-lint ## Run linters and checks like golangci-lint
 .PHONY: unit
 unit:
 	go test ./... -race
-	SIGNING_DIGEST=SHA1 go test ./... -race
 
 .PHONY: integration
 integration:
 	go test ./... -race -tags=integration
-	SIGNING_DIGEST=SHA1 go test ./... -race -tags=integration
 
 .PHONY: test
 test: integration

diff --git a/pkg/build/sign.go b/pkg/build/sign.go
@@ -22,21 +22,6 @@ type ApkSigner interface {
 	SignatureName() string
 }
 
-var melangeApkDigest crypto.Hash
-
-func init() {
-	melangeApkDigest = crypto.SHA256
-	if digest, ok := os.LookupEnv("SIGNING_DIGEST"); ok {
-		switch digest {
-		case "SHA256":
-		case "SHA1":
-			melangeApkDigest = crypto.SHA1
-		default:
-			panic(fmt.Errorf("unsupported SIGNING_DIGEST"))
-		}
-	}
-}
-
 func EmitSignature(ctx context.Context, signer ApkSigner, controlData []byte, sde time.Time) ([]byte, error) {
 	_, span := otel.Tracer("melange").Start(ctx, "EmitSignature")
 	defer span.End()
@@ -89,16 +74,13 @@ type KeyApkSigner struct {
 }
 
 func (s KeyApkSigner) Sign(control []byte) ([]byte, error) {
-	controlDigest, err := sign.HashData(control, melangeApkDigest)
+	controlDigest, err := sign.HashData(control, crypto.SHA256)
 	if err != nil {
 		return nil, err
 	}
-	return sign.RSASignDigest(controlDigest, melangeApkDigest, s.KeyFile, s.KeyPassphrase)
+	return sign.RSASignDigest(controlDigest, crypto.SHA256, s.KeyFile, s.KeyPassphrase)
 }
 
 func (s KeyApkSigner) SignatureName() string {
-	if melangeApkDigest == crypto.SHA256 {
-		return fmt.Sprintf(".SIGN.RSA256.%s.pub", filepath.Base(s.KeyFile))
-	}
-	return fmt.Sprintf(".SIGN.RSA.%s.pub", filepath.Base(s.KeyFile))
+	return fmt.Sprintf(".SIGN.RSA256.%s.pub", filepath.Base(s.KeyFile))
 }
diff --git a/pkg/sign/apk_test.go b/pkg/sign/apk_test.go
@@ -54,30 +54,18 @@ func TestAPK(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	melangeApkDigest := crypto.SHA256
-	prefix := ".SIGN.RSA256."
-	if digest, ok := os.LookupEnv("SIGNING_DIGEST"); ok {
-		switch digest {
-		case "SHA256":
-		case "SHA1":
-			melangeApkDigest = crypto.SHA1
-			prefix = ".SIGN.RSA."
-		default:
-			t.Fatalf("unsupported SIGNING_DIGEST")
-		}
-	}
-	if sigName != prefix+testPubkey {
+	if sigName != ".SIGN.RSA256."+testPubkey {
 		t.Fatalf("unexpected signature name %s", sigName)
 	}
-	digest, err := signature.HashData(controlData, melangeApkDigest)
+	digest, err := signature.HashData(controlData, crypto.SHA256)
 	if err != nil {
 		t.Fatal(err)
 	}
 	pubKey, err := os.ReadFile("testdata/" + testPubkey)
 	if err != nil {
 		t.Fatal(err)
 	}
-	if err := signature.RSAVerifyDigest(digest, melangeApkDigest, sig, pubKey); err != nil {
+	if err := signature.RSAVerifyDigest(digest, crypto.SHA256, sig, pubKey); err != nil {
 		t.Fatal(err)
 	}
 }