Merge pull request #2699 from OSInside/drop_insecure_md5_usage

Drop insecure and unsupported md5 digest

doc/source/building_images/build_expandable_disk.rst

@@ -183,18 +183,18 @@ a target system:
           scp pxeboot.{exc_image_base_name_disk}.x86_64-{exc_image_version}.initrd PXE_SERVER_IP:/srv/tftpboot/boot/initrd
           scp pxeboot.{exc_image_base_name_disk}.x86_64-{exc_image_version}.kernel PXE_SERVER_IP:/srv/tftpboot/boot/linux
 
-3. Copy the disk image, MD5 file, system kernel, initrd and bootoptions to
+3. Copy the disk image, SHA256 file, system kernel, initrd and bootoptions to
    the PXE boot server.
 
    Activation of the deployed system is done via `kexec` of the kernel
    and initrd provided here.
 
-   a) Copy system image and MD5 checksum:
+   a) Copy system image and SHA256 checksum:
 
       .. code:: bash
 
           scp {exc_image_base_name_disk}.x86_64-{exc_image_version}.xz PXE_SERVER_IP:/srv/tftpboot/image/
-          scp {exc_image_base_name_disk}.x86_64-{exc_image_version}.md5 PXE_SERVER_IP:/srv/tftpboot/image/
+          scp {exc_image_base_name_disk}.x86_64-{exc_image_version}.sha256 PXE_SERVER_IP:/srv/tftpboot/image/
 
    b) Copy kernel, initrd and bootoptions used for booting the system via kexec:
 
@@ -224,7 +224,7 @@ a target system:
 
    The location of the image is specified as a source URI that can point
    to any location supported by the `curl` command. {kiwi} uses `curl` to fetch
-   the data from this URI. This means that the image, MD5 file, system kernel
+   the data from this URI. This means that the image, checksum file, system kernel
    and initrd can be fetched from any server, and they do not need to be stored
    on the `PXE_SERVER`.
 
@@ -425,4 +425,4 @@ The `initrd` child element of `installmedia` lists dracut modules. The element's
 `action` attribute determines whether the dracut module is omitted
 (`action="omit"`) or added (`action="add"`). Use `action="set"` to use only the
 listed modules and nothing else (that is, none of the dracut modules included by
-default).
+default).

doc/source/working_with_images/legacy_netboot_root_filesystem.rst

@@ -90,12 +90,12 @@ system. As diskless client, a QEMU virtual machine is used.
        $ cp *.initrd /srv/tftpboot/boot/initrd
        $ cp *.kernel /srv/tftpboot/boot/linux
 
-5. Copy the system image and its MD5 sum to :file:`/srv/tftpboot/image`:
+5. Copy the system image and its SHA256 sum to :file:`/srv/tftpboot/image`:
 
    .. code:: bash
 
        $ cp {exc_image_base_name_pxe}.x86_64-{exc_image_version} /srv/tftpboot/image
-       $ cp {exc_image_base_name_pxe}.x86_64-{exc_image_version}.md5 /srv/tftpboot/image
+       $ cp {exc_image_base_name_pxe}.x86_64-{exc_image_version}.sha256 /srv/tftpboot/image
 
 6. Adjust the PXE configuration file.
    The configuration file controls which kernel and initrd is
@@ -317,7 +317,7 @@ CONF, the following setup is required:
    RELOAD_CONFIG=1
 
 By default only configuration files which has changed according to
-their md5sum value will be reloaded. With the above setup all files
+their checksum value will be reloaded. With the above setup all files
 will be reloaded from the PXE server. The option only applies to
 configurations with a DISK/PART setup
 

dracut/modules.d/90kiwi-dump/kiwi-dump-image.sh

@@ -305,7 +305,7 @@ function check_image_integrity {
     local progress=/dev/install_verify_progress
     local verify_text="Verifying ${image_target}"
     local title_text="Installation..."
-    local verify_result=/dumped_image.md5
+    local verify_result=/dumped_image.sha256
     kiwi_oemskipverify=$(bool "${kiwi_oemskipverify}")
     kiwi_oemsilentverify=$(bool "${kiwi_oemsilentverify}")
     if [ "${kiwi_oemskipverify}" = "true" ];then
@@ -318,13 +318,13 @@ function check_image_integrity {
         setup_progress_fifo ${progress}
         (
             pv --size $((blocks * blocksize)) --stop-at-size \
-            -n "${image_target}" | md5sum - > ${verify_result}
+            -n "${image_target}" | sha256sum - > ${verify_result}
         ) 2>${progress} &
         run_progress_dialog "${verify_text}" "${title_text}"
     else
         # verify with silently blocked console
         head --bytes=$((blocks * blocksize)) "${image_target}" |\
-        md5sum - > ${verify_result}
+        sha256sum - > ${verify_result}
     fi
     local checksum_dumped_image
     local checksum_fileref
@@ -341,7 +341,7 @@ function get_local_image_source_files {
     local iso_mount_point=/run/install
     local image_mount_point=/run/image
     local image_source
-    local image_md5
+    local image_sha256
     mkdir -m 0755 -p "${iso_mount_point}"
     if ! mount -n "${iso_device}" "${iso_mount_point}"; then
         report_and_quit "Failed to mount install ISO device"
@@ -351,14 +351,14 @@ function get_local_image_source_files {
         report_and_quit "Failed to mount install image squashfs filesystem"
     fi
     image_source="$(echo "${image_mount_point}"/*.raw)"
-    image_md5="$(echo "${image_mount_point}"/*.md5)"
-    echo "${image_source}|${image_md5}"
+    image_sha256="$(echo "${image_mount_point}"/*.sha256)"
+    echo "${image_source}|${image_sha256}"
 }
 
 function get_remote_image_source_files {
     local image_uri
     local install_dir=/run/install
-    local image_md5="${install_dir}/image.md5"
+    local image_sha256="${install_dir}/image.sha256"
     local metadata_dir="${install_dir}/boot/remote/loader"
 
     mkdir -p "${metadata_dir}"
@@ -367,8 +367,8 @@ function get_remote_image_source_files {
     # make sure the protocol type is tftp for metadata files. There is no need for
     # complex protocol types on small files and for standard PXE boot operations
     # only tftp can be guaranteed
-    image_md5_uri=$(
-        echo "${image_uri}" | awk '{ gsub("\\.xz",".md5", $1); gsub("dolly:","tftp:", $1); print $1 }'
+    image_sha256_uri=$(
+        echo "${image_uri}" | awk '{ gsub("\\.xz",".sha256", $1); gsub("dolly:","tftp:", $1); print $1 }'
     )
     image_initrd_uri=$(
         echo "${image_uri}" | awk '{ gsub("\\.xz",".initrd", $1); gsub("dolly:","tftp:", $1); print $1 }'
@@ -381,15 +381,15 @@ function get_remote_image_source_files {
         awk '{ gsub("\\.xz",".config.bootoptions", $1); gsub("dolly:","tftp:", $1); print $1 }'
     )
 
-    # if we can not access image_md5_uri, maybe network setup
+    # if we can not access image_sha256_uri, maybe network setup
     # by dracut did fail, so collect some additional info
-    if ! fetch_file "${image_md5_uri}" > "${image_md5}";then
+    if ! fetch_file "${image_sha256_uri}" > "${image_sha256}";then
         {
             echo "--- ip a ---"; ip a
             echo "--- ip r ---"; ip r
         } >> /tmp/fetch.info 2>&1
         show_log_and_quit \
-            "Failed to fetch ${image_md5_uri}" /tmp/fetch.info
+            "Failed to fetch ${image_sha256_uri}" /tmp/fetch.info
     fi
 
     if ! fetch_file "${image_kernel_uri}" > "${metadata_dir}/linux";then
@@ -409,7 +409,7 @@ function get_remote_image_source_files {
             "Failed to fetch ${image_config_uri}" /tmp/fetch.info
     fi
 
-    echo "${image_uri}|${image_md5}"
+    echo "${image_uri}|${image_sha256}"
 }
 
 #======================================

dracut/modules.d/90kiwi-dump/module-setup.sh

@@ -21,7 +21,7 @@ install() {
     declare moddir=${moddir}
     declare systemdutildir=${systemdutildir}
     inst_multiple \
-        tr lsblk dd md5sum head pv kexec basename awk kpartx
+        tr lsblk dd sha256sum head pv kexec basename awk kpartx
 
     inst_hook pre-udev 30 "${moddir}/kiwi-installer-genrules.sh"
 

kiwi/builder/container.py

@@ -55,7 +55,7 @@ def __init__(
         self.requested_container_type = xml_state.get_build_type_name()
         self.delta_root = xml_state.build_type.get_delta_root()
         self.base_image = None
-        self.base_image_md5 = None
+        self.base_image_sha256 = None
         self.ensure_empty_tmpdirs = True
 
         self.container_config['xz_options'] = \
@@ -67,22 +67,22 @@ def __init__(
         if xml_state.get_derived_from_image_uri() and not self.delta_root:
             # The base image(all derived imports) is expected to be unpacked
             # by the kiwi prepare step and stored inside of the root_dir/image
-            # directory. In addition a md5 file of the image is expected too
+            # directory. In addition a sha256 file of the image is expected too
             self.base_image = Defaults.get_imported_root_image(
                 self.root_dir
             )
-            self.base_image_md5 = ''.join([self.base_image, '.md5'])
+            self.base_image_sha256 = ''.join([self.base_image, '.sha256'])
 
             if not os.path.exists(self.base_image):
                 raise KiwiContainerBuilderError(
                     'Unpacked Base image {0} not found'.format(
                         self.base_image
                     )
                 )
-            if not os.path.exists(self.base_image_md5):
+            if not os.path.exists(self.base_image_sha256):
                 raise KiwiContainerBuilderError(
-                    'Base image MD5 sum {0} not found at'.format(
-                        self.base_image_md5
+                    'Base image SHA256 sum {0} not found at'.format(
+                        self.base_image_sha256
                     )
                 )
 
@@ -131,7 +131,7 @@ def create(self) -> Result:
             container_setup.setup()
         else:
             checksum = Checksum(self.base_image)
-            if not checksum.matches(checksum.md5(), self.base_image_md5):
+            if not checksum.matches(checksum.sha256(), self.base_image_sha256):
                 raise KiwiContainerBuilderError(
                     'base image file {0} checksum validation failed'.format(
                         self.base_image

kiwi/builder/install.py

@@ -119,8 +119,8 @@ def __init__(
         self.squashed_diskname = ''.join(
             [xml_state.xml_data.get_name(), '.raw']
         )
-        self.md5name = ''.join(
-            [xml_state.xml_data.get_name(), '.md5']
+        self.sha256name = ''.join(
+            [xml_state.xml_data.get_name(), '.sha256']
         )
         self.xz_options = custom_args['xz_options'] if custom_args \
             and 'xz_options' in custom_args else None
@@ -174,7 +174,7 @@ def create_install_iso(self) -> None:
             prefix='kiwi_install_squashfs.', path=self.target_dir
         ).new_dir()
         checksum = Checksum(self.diskname)
-        checksum.md5(self.squashed_contents.name + '/' + self.md5name)
+        checksum.sha256(self.squashed_contents.name + '/' + self.sha256name)
 
         # the system image name is stored in a config file
         self._write_install_image_info_to_iso_image()
@@ -291,14 +291,14 @@ def create_install_pxe_archive(self) -> None:
 
         # the system image transfer is checked against a checksum
         log.info('Creating disk image checksum')
-        pxe_md5_filename = ''.join(
+        pxe_sha256_filename = ''.join(
             [
                 self.pxe_dir.name, '/',
-                self.pxename, '.md5'
+                self.pxename, '.sha256'
             ]
         )
         checksum = Checksum(self.diskname)
-        checksum.md5(pxe_md5_filename)
+        checksum.sha256(pxe_sha256_filename)
 
         # the install image name is stored in a config file
         if self.initrd_system == 'kiwi':

kiwi/builder/kis.py

@@ -88,7 +88,7 @@ def __init__(
         self.image: str = ''
         self.append_file = ''.join([self.image_name, '.append'])
         self.archive_name = ''.join([self.image_name, '.tar'])
-        self.checksum_name = ''.join([self.image_name, '.md5'])
+        self.checksum_name = ''.join([self.image_name, '.sha256'])
         self.kernel_filename: str = ''
         self.hypervisor_filename: str = ''
         self.result = Result(xml_state)
@@ -126,9 +126,9 @@ def create(self) -> Result:
                 compress = Compress(self.image)
                 self.image = compress.xz(self.xz_options)
 
-            log.info('Creating root filesystem MD5 checksum')
+            log.info('Creating root filesystem SHA256 checksum')
             checksum = Checksum(self.image)
-            checksum.md5(self.checksum_name)
+            checksum.sha256(self.checksum_name)
 
         # prepare initrd
         if self.boot_image_task.has_initrd_support():

kiwi/config/strip.xml

@@ -179,7 +179,6 @@
         <file name="lvextend"/>
         <file name="lvm"/>
         <file name="lvresize"/>
-        <file name="md5sum"/>
         <file name="mdadm"/>
         <file name="mdmon"/>
         <file name="mkdir"/>

kiwi/schema/kiwi.rnc

@@ -713,7 +713,7 @@ div {
     k.oem-skip-verify.content = xsd:boolean
     k.oem-skip-verify.attlist = empty
     k.oem-skip-verify =
-        ## For oemboot driven images: do not perform the md5
+        ## For oemboot driven images: do not perform the checksum
         ## verification process, true/false
         element oem-skip-verify {
             k.oem-skip-verify.attlist,
@@ -1130,7 +1130,7 @@ div {
         ## Alias name to be used for this repository. This is an
         ## optional free-form text restricted to characters from the
         ## POSIX standard. If not set the source attribute
-        ## value is used and builds the alias name by running a md5 digest
+        ## value is used and builds the alias name by running a checksum digest
         ## of the defined URI of the repository. An alias name should be
         ## set if the source argument doesn't really explain what this
         ## repository contains.

kiwi/schema/kiwi.rng

@@ -1115,7 +1115,7 @@ dump process, true/false</a:documentation>
     </define>
     <define name="k.oem-skip-verify">
       <element name="oem-skip-verify">
-        <a:documentation>For oemboot driven images: do not perform the md5
+        <a:documentation>For oemboot driven images: do not perform the checksum
 verification process, true/false</a:documentation>
         <ref name="k.oem-skip-verify.attlist"/>
         <ref name="k.oem-skip-verify.content"/>
@@ -1740,7 +1740,7 @@ loading of the container at first boot</a:documentation>
         <a:documentation>Alias name to be used for this repository. This is an
 optional free-form text restricted to characters from the
 POSIX standard. If not set the source attribute
-value is used and builds the alias name by running a md5 digest
+value is used and builds the alias name by running a checksum digest
 of the defined URI of the repository. An alias name should be
 set if the source argument doesn't really explain what this
 repository contains.</a:documentation>

kiwi/system/root_import/base.py

@@ -186,4 +186,4 @@ def sync_data(self):
 
     def _make_checksum(self, image):
         checksum = Checksum(image)
-        checksum.md5(''.join([image, '.md5']))
+        checksum.sha256(''.join([image, '.sha256']))

kiwi/utils/checksum.py

@@ -21,6 +21,7 @@
 import encodings.ascii as encoding
 
 # project
+from kiwi.api_helper import decommissioned
 from kiwi.utils.compress import Compress
 from kiwi.utils.primes import factors
 
@@ -70,24 +71,9 @@ def matches(self, checksum, filename):
                 return True
         return False
 
+    @decommissioned
     def md5(self, filename=None):
-        """
-        Create md5 checksum
-
-        :param str filename: filename for checksum
-
-        :return: checksum
-
-        :rtype: str
-        """
-        md5_checksum = self._calculate_hash_hexdigest(
-            hashlib.md5(), self.source_filename
-        )
-        if filename:
-            self._create_checksum_file(
-                md5_checksum, filename
-            )
-        return md5_checksum
+        pass  # pragma: no cover
 
     def sha256(self, filename=None):
         """
@@ -122,7 +108,7 @@ def _create_checksum_file(self, checksum, filename):
                 os.path.getsize(compress.uncompressed_filename)
             )
             checksum = self._calculate_hash_hexdigest(
-                hashlib.md5(), compress.uncompressed_filename
+                hashlib.sha256(), compress.uncompressed_filename
             )
         else:
             blocks = self._block_list(