From 878550d51949cec38cc475c1ec87b968e8fbec6b Mon Sep 17 00:00:00 2001
From: Leah Rowe <leah@libreboot.org>
Date: Sat, 9 Sep 2023 16:39:26 +0100
Subject: use sha512sum to check downloads, not sha1sum

sha-1 has known collision issues, which may not be readily
exploitable yet (in our context), but we should ideally use
a more secure method for checking file integrity.

therefore, use sha-2 (sha512sum) for checking files. this is
slower than sha-1, but checksum verification is only a minor
part of what lbmk does, so the overall effect on build times
is quite negligible.

Signed-off-by: Leah Rowe <leah@libreboot.org>
---
 script/update/blobs/download | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'script/update/blobs/download')

diff --git a/script/update/blobs/download b/script/update/blobs/download
index 2903c504..0364bfa5 100755
--- a/script/update/blobs/download
+++ b/script/update/blobs/download
@@ -455,7 +455,7 @@ vendor_checksum()
 		printf "Vendor update not found on disk for: %s\n" "${board}" \
 		    1>&2
 		return 1
-	elif [ "$(sha1sum ${dl_path} | awk '{print $1}')" != "${1}" ]; then
+	elif [ "$(sha512sum ${dl_path} | awk '{print $1}')" != "${1}" ]; then
 		printf "Bad checksum on vendor update for: %s\n" "${board}" 1>&2
 		return 1
 	fi
-- 
cgit v1.2.1