Skip to content

#6055 Add ALLOW_INSECURE_SHA1_HASH flag support #6065

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 6 commits into from
Closed

#6055 Add ALLOW_INSECURE_SHA1_HASH flag support #6065

wants to merge 6 commits into from

Conversation

martgil
Copy link
Collaborator

@martgil martgil commented Aug 20, 2025

This PR adds a new client configuration flag called ALLOW_INSECURE_SHA1_HASH in goal of supporting keys generated from a legacy system.

close #6055

Tests (delete all except exactly one):

  • Tests added or updated

To be filled by reviewers

I have reviewed that this PR... (tick whichever items you personally focused on during this review):

  • addresses the issue it closes (if any)
  • code is readable and understandable
  • is accompanied with tests, or tests are not needed
  • is free of vulnerabilities
  • is documented clearly and usefully, or doesn't need documentation

@martgil martgil requested a review from sosnovsky as a code owner August 20, 2025 07:55
@martgil martgil marked this pull request as draft August 20, 2025 07:56
@martgil
Copy link
Collaborator Author

martgil commented Aug 20, 2025

Currently trying to write a test for this change.

sosnovsky
sosnovsky reviewed Sep 3, 2025
View reviewed changes
extension/chrome/settings/setup.ts
Comment on lines +126 to +130
if (this.clientConfiguration.shouldAllowInsecureSha1Hash() && typeof opgp !== 'undefined') {
opgp.config.rejectHashAlgorithms = new Set([...defaultRejectedHashAlgo]);
} else {
opgp.config.rejectHashAlgorithms = new Set([...defaultRejectedHashAlgo, opgp.enums.hash.sha1]);
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @martgil, I think we shouldn't completely disable SHA1 algorithm with rejectHashAlgorithms property, as we already show error error verifying signature: Insecure hash algorithm: SHA1. Sender is using old, insecure OpenPGP software. when user verifies message signed with sha1 key.
Disabling sha1 entirely would also make it impossible for users to decrypt older messages encrypted with sha1 keys.
So let's just remove opgp.config.rejectHashAlgorithms property altogether.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand completely, Roma, sorry. I'll be closing this PR and proceed with removing the rejectHashAlgorithms property in openpgp configuration.

@martgil martgil closed this Sep 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sosnovsky sosnovsky sosnovsky left review comments

Assignees

No one assigned

Labels

in progress

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add configuration flag for allowing SHA1 hash algorithm

2 participants

@martgil @sosnovsky