The SHA-1 collision that Google and CWI Amsterdam successfully performed had immediate implications on the artifacts you store in your repositories. Effectively, it means that one artifact could impersonate another. In other words, you download an artifact you want, validate its integrity using its SHA1 checksum, but actually end up with a different artifact which exposes you to a whole world of potential vulnerabilities in your software.
To prevent this scenario, Artifactory’s SHA256 compatibility natively supports SHA256 checksums which offer an unbreakable level of security, so when you validate the integrity of a downloaded binary, you can be sure that its contents have not been tampered with.
What does SHA256 compatibility give you
Any artifact uploaded to a repository automatically has its SHA256 calculated, and the SHA256 values of the artifacts in your repositories can be used for a variety of functions:
- They can be used in AQL queries, and are returned in corresponding responses
- They are included as download header information
- They can be used in the Deploy Artifact and Deploy Artifact by Checksum REST API endpoints.
- They are included when downloading a folder
- They are displayed in the General Information tab of the Artifact Repository Browser
- The can be used in a variety of REST API endpoints used for search
With the current state of technology, SHA256 compatibility provides unequivocal validation of your binaries offering the highest level of security available in a repository manager today.