SHA-1 should be replaced by a safer alternative

[rcaa]

Google has just announced the first SHA-1 collision. Google suggests moving to safer alternatives such as SHA-256.

https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html?m=1

[igieon]

Or for security reason using pgp signed commits

[flaix]

Which area of application in Gitblit are you thinking of here?

[gitblit]

@fzs That was my question, exactly. 👍

[rcaa]

https://github.com/gitblit/gitblit/blob/master/src/main/java/com/gitblit/auth/HtpasswdAuthProvider.java

And all the places that StringUtils.getSHA1(...) is called.

[flaix]

The HtpasswdAuthProvider uses the Apache htpasswd file, so it uses what is compatible with that.

htpasswd encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA1, or the system's crypt() routine.

Since SHA-1 is supported, that is what it uses. If you want a safer alternative you'll need to rely on your system's crypt routine to provide SHA-512 and somehow make it work. Support for bcrypt is missing, but I would wait to add that until someone is really using it with their Apache server.

As for the rest, SHA-1 is still a valid hash algorithm, just not a cryptographically strong one anymore. So I don't think any uses of StringUtils.getSHA1 need to be replaced that use it for a simple hash. Which would leave the ones where it is used for a secret or something deserving protection.