Replace SHA1 checksums as they 'practically' broken

[emanuelb]

The SHA1 hash was practically broken (regarding collision resistance), see:
https://shattered.io/
thus it's not recommended to use it in scenarios that relay on collision resistance.
Regarding PMA it's mean to remove it's usage as checksum for downloads.
(HMAC-SHA1 [cookie auth + github api] is still safe as it's security not depend on resistance to collisions)

fix:

1. remove SHA1 checksums usage for downloadable files in:
   https://www.phpmyadmin.net/downloads/
   https://www.phpmyadmin.net/themes/
2. optional: add BLAKE2 checksums instead (b2sum tool), more information:
   https://www.gnu.org/software/coreutils/manual/html_node/b2sum-invocation.html#b2sum-invocation
   https://leastauthority.com/blog/BLAKE2-harder-better-faster-stronger-than-MD5/

SHA256 is considered secure, it's not broken even theoretically.

[nijel]

I've removed displaying of SHA1 hashes. It can't be completely removed as it's necessary for composer package list (see composer/composer#5940).

Also I don't think that introducing something else than SHA256 makes sense right now.

[emanuelb]

I've removed displaying of SHA1 hashes.

more places to remove:

website/pmaweb/templates/_dlbox.html

Line 2 in bdea1b4

<a class="btn btn-success download_popup" href="{{ file.get_absolute_url }}" title="Download {{ file.archive }} compressed release, {{ file.size | filesizeformat }}" rel="quick-download" data-sha1="{{ file.sha1 }}" data-sha256="{{ file.sha256 }}" data-pgp="{{ file.get_signed_url }}"><i class="fa fa-download"></i> Download {{ release.version }}</a>

https://github.com/phpmyadmin/themes/blob/d77636525be8ff713fa67a3ad48f4e97f9d130ea/create-release.sh#L76
https://github.com/phpmyadmin/themes/blob/d77636525be8ff713fa67a3ad48f4e97f9d130ea/create-release.sh#L97

does all the below instances required for the adding of SHA1 to packages.json ( in composer usage) ?

several mentions in (lines: 38-39, 44)

website/files/management/commands/add_missing_checksums.py

Line 24 in f59a3ee

from hashlib import sha256, sha1

website/files/models.py

Line 253 in e00abfb

sha1 = models.CharField(max_length=40)

website/files/models.py

Line 326 in e00abfb

sha1 = models.CharField(max_length=40)

website/files/management/commands/import_files.py

Line 54 in f59a3ee

download.sha1 = read_sum('{0}.sha1'.format(filename))

website/files/management/commands/import_themes.py

Line 59 in f59a3ee

'sha1': read_sum(

It can't be completely removed as it's necessary for composer package list (see composer/composer#5940).

Yeah, they bit slow on the needed work regarding transition to more secure checksums & verification mechanisms :(

Also I don't think that introducing something else than SHA256 makes sense right now.

agree, thus added it as optional (BLAKE2/SHA-3 are better for new usages, still SHA-256 usage is good from security POV)

[nijel]

All the locations in files are needed to ensure everything works with composer (some of them cover corner cases which probably won't happen). I've kept the same code on themes as well right now to have consistent code for both files and themes. It's not used there, but IMHO it's better from maintenance perspective.

As for adding another checksums, I'd prefer to wait until either of these is widely used, what doesn't seem to be case for neither of them right now (in the end we need something people know and will use).

[emanuelb]

As for adding another checksums, I'd prefer to wait until either of these is widely used, what doesn't seem to be case for neither of them right now (in the end we need something people know and will use).

agree, and using sha-256 is totally fine, even if sha-3/blake2 is better (and has the related tools in coreutils as well) :)