Artifactory was uniquely designed from the ground-up to optimally manage binaries with the capability to efficiently support packages in any format. One of the key features enabling this flexibility is Checksum-Based Storage. While all artifact files are stored and managed in one of the several options for binary storage supported by Artifactory, the files’ metadata, including its checksum, is maintained in Artifactory’s database. Artifactory uses an artifact’s SHA1 value as a mapping to the file’s physical location in the binary store. This allows many actions on files (such as copy, move, delete and more) to be executed as database transactions making them highly performant. But these checksums also played another important role. They are a way of validating the integrity of any artifact downloaded. That has worked for several years, but recently, Google announced the first ever successful SHA1 collision (i.e. they managed to create two different files with the same SHA1 digest.) But don’t worry, your Artifactory repositories are safe. We are happy to announce that the newly released JFrog Artifactory 5.5 natively supports SHA-256 checksums making your repositories more secure.
Native support for SHA-256 provides a more secure environment for your binary artifacts and supports tools that require the stronger SHA-256 to validate the integrity of files. As cryptographic technology progressed along with computational power, we recognized the need to support SHA-256 providing a safer environment for the binaries our customers work so hard to produce.
What’s wrong with SHA1?
SHA-1 takes the contents of any file and calculates a 160 bit hash value (basically, long string of numbers and letters) that serves as a cryptographic fingerprint for that particular file.
As cryptographic research progressed along with computational power, researchers from Google and the CWI Institute in Amsterdam managed to create 2 files with the same SHA1 hash – this is what we call a collision attack.
A collision attack means one file can impersonate another opening up the possibility for different breaches in security such as faking a digital signature file or an HTTPS certificate. In the context of Artifactory, one artifact could theoretically impersonate another which means that you expect to download an artifact, but get something else instead.
The SHA-256 hash is much stronger than SHA1 removing the risk of a collision. We felt that we had to provide this capability to give our customers full confidence in the security measures offered by Artifactory.
Bullet-proof your artifacts
To mitigate the risk of a SHA1 collision attack you can migrate to SHA-256, and this is exactly what Artifactory 5.5 lets you do. By upgrading to version 5.5, you can migrate your database to use SHA-256 checksums making your repositories more secure since nobody will be able to impersonate your artifacts.
If you’re running Artifactory OSS or Artifactory Pro, you can just go ahead and upgrade to this latests version.
If you’re running an Artifactory Enterprise HA cluster, this more complicated setup has special upgrade instructions. Make sure to follow those instructions carefully.
But note also, that upgrading to 5.5 means Artifactory will be capable of calculating SHA-256 checksums, and indeed, any new artifacts uploaded to your repositories will automatically have their SHA-256 checksums calculated. To calculate the SHA-256 checksums for all your existing artifacts, you need to migrate your database, but don’t worry, we show you exactly how to do that.
Adding support for SHA-256 checksums is a huge step because, even after Google and company cracked SHA1, Artifactory can still provide 100% assurance that the artifacts you download are indeed the ones you asked for, and it’s currently the only repository manager that can do so. But this is only the first step. Going forward we will migrate our binary store to be based on SHA2 also, taking Artifactory security to a new level.