From 5cf540087d632ca88859459cd190207217684df2 Mon Sep 17 00:00:00 2001
From: Paul Schaub <vanitasvitae@fsfe.org>
Date: Tue, 2 Apr 2024 13:30:00 +0200
Subject: [PATCH] Make SHA256 the default HashAlgorithm.

As of 2020, attacks against SHA1 need to be considered practical.
It is therefore recommended to move on to a more secure hash algorithm.

Other OpenPGP implementations, such as Sequoia-PGP moved on as well.
See e.g. https://sequoia-pgp.org/blog/2023/02/01/202302-happy-sha1-day/
---
 rpm/src/main/java/org/eclipse/packager/rpm/HashAlgorithm.java | 4 ++--
 .../packager/rpm/signature/RsaHeaderSignatureProcessor.java   | 2 +-
 .../eclipse/packager/rpm/signature/RsaSignatureProcessor.java | 2 +-
 .../java/org/eclipse/packager/rpm/yum/RepositoryCreator.java  | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/rpm/src/main/java/org/eclipse/packager/rpm/HashAlgorithm.java b/rpm/src/main/java/org/eclipse/packager/rpm/HashAlgorithm.java
index 37876f9..4daa1d6 100644
--- a/rpm/src/main/java/org/eclipse/packager/rpm/HashAlgorithm.java
+++ b/rpm/src/main/java/org/eclipse/packager/rpm/HashAlgorithm.java
@@ -42,7 +42,7 @@ public String getId() {
      * <p>
      * This method will return the hash algorithm as specified by the
      * parameter "name". If this parameter is {@code null} or an empty
-     * string, then the default algorithm {@link #SHA1} will be returned. If
+     * string, then the default algorithm {@link #SHA256} will be returned. If
      * algorithm is an invalid name, then an exception is thrown.
      * </p>
      *
@@ -52,7 +52,7 @@ public String getId() {
      */
     public static HashAlgorithm from(final String name) {
         if (name == null || name.isEmpty()) {
-            return SHA1;
+            return SHA256;
         }
 
         return HashAlgorithm.valueOf(name);
diff --git a/rpm/src/main/java/org/eclipse/packager/rpm/signature/RsaHeaderSignatureProcessor.java b/rpm/src/main/java/org/eclipse/packager/rpm/signature/RsaHeaderSignatureProcessor.java
index 7bd2b26..473cca8 100644
--- a/rpm/src/main/java/org/eclipse/packager/rpm/signature/RsaHeaderSignatureProcessor.java
+++ b/rpm/src/main/java/org/eclipse/packager/rpm/signature/RsaHeaderSignatureProcessor.java
@@ -50,7 +50,7 @@ public RsaHeaderSignatureProcessor(final PGPPrivateKey privateKey, final HashAlg
     }
 
     public RsaHeaderSignatureProcessor(final PGPPrivateKey privateKey) {
-        this(privateKey, HashAlgorithmTags.SHA1);
+        this(privateKey, HashAlgorithmTags.SHA256);
     }
 
     @Override
diff --git a/rpm/src/main/java/org/eclipse/packager/rpm/signature/RsaSignatureProcessor.java b/rpm/src/main/java/org/eclipse/packager/rpm/signature/RsaSignatureProcessor.java
index 91f4335..123c993 100644
--- a/rpm/src/main/java/org/eclipse/packager/rpm/signature/RsaSignatureProcessor.java
+++ b/rpm/src/main/java/org/eclipse/packager/rpm/signature/RsaSignatureProcessor.java
@@ -53,7 +53,7 @@ public RsaSignatureProcessor(final PGPPrivateKey privateKey, final HashAlgorithm
     }
 
     public RsaSignatureProcessor(final PGPPrivateKey privateKey) {
-        this(privateKey, HashAlgorithmTags.SHA1);
+        this(privateKey, HashAlgorithmTags.SHA256);
     }
 
     @Override
diff --git a/rpm/src/main/java/org/eclipse/packager/rpm/yum/RepositoryCreator.java b/rpm/src/main/java/org/eclipse/packager/rpm/yum/RepositoryCreator.java
index 6bb9600..6f9a8d2 100644
--- a/rpm/src/main/java/org/eclipse/packager/rpm/yum/RepositoryCreator.java
+++ b/rpm/src/main/java/org/eclipse/packager/rpm/yum/RepositoryCreator.java
@@ -440,7 +440,7 @@ public Builder setSigning(final Function<OutputStream, OutputStream> signingStre
         }
 
         public Builder setSigning(final PGPPrivateKey privateKey) {
-            return setSigning(privateKey, HashAlgorithmTags.SHA1);
+            return setSigning(privateKey, HashAlgorithmTags.SHA256);
         }
 
         public Builder setSigning(final PGPPrivateKey privateKey, final HashAlgorithm hashAlgorithm) {