Deprecate MD5 and SHA1 hashes

Resolves: #1935509

flatpak-builder-source-archive-source-file-Deprecate-MD5-and-SHA1-ha.patch

@@ -0,0 +1,77 @@
+From 2e1efc8d31088fe9da93435d6a761afe37d1992d Mon Sep 17 00:00:00 2001
+From: Debarshi Ray <debarshir@gnome.org>
+Date: Mon, 31 Jan 2022 15:16:12 +0100
+Subject: [PATCH] source-archive, source-file: Deprecate MD5 and SHA1 hashes
+
+... because of their weaknesses, and show a warning suggesting SHA256
+instead.
+
+The new test cases were removed from this commit to simplify the
+downstream build.
+
+https://github.com/flatpak/flatpak-builder/pull/459
+https://bugzilla.redhat.com/show_bug.cgi?id=1935509
+---
+ src/builder-source-archive.c | 12 ++++++++++++
+ src/builder-source-file.c    | 12 ++++++++++++
+ 2 files changed, 24 insertions(+)
+
+diff --git a/src/builder-source-archive.c b/src/builder-source-archive.c
+index 245c7d40bf2e..7a9196723318 100644
+--- a/src/builder-source-archive.c
++++ b/src/builder-source-archive.c
+@@ -226,11 +226,23 @@ builder_source_archive_set_property (GObject      *object,
+     case PROP_MD5:
+       g_free (self->md5);
+       self->md5 = g_value_dup_string (value);
++      if (self->md5 != NULL && self->md5[0] != '\0')
++        {
++          g_printerr ("The \"md5\" source property is deprecated due to the weakness of MD5 hashes.\n");
++          g_printerr ("Use the \"sha256\" property for the more secure SHA256 hash.\n");
++        }
++
+       break;
+ 
+     case PROP_SHA1:
+       g_free (self->sha1);
+       self->sha1 = g_value_dup_string (value);
++      if (self->sha1 != NULL && self->sha1[0] != '\0')
++        {
++          g_printerr ("The \"sha1\" source property is deprecated due to the weakness of SHA1 hashes.\n");
++          g_printerr ("Use the \"sha256\" property for the more secure SHA256 hash.\n");
++        }
++
+       break;
+ 
+     case PROP_SHA256:
+diff --git a/src/builder-source-file.c b/src/builder-source-file.c
+index e4af408dc132..8b2efa643c84 100644
+--- a/src/builder-source-file.c
++++ b/src/builder-source-file.c
+@@ -154,11 +154,23 @@ builder_source_file_set_property (GObject      *object,
+     case PROP_MD5:
+       g_free (self->md5);
+       self->md5 = g_value_dup_string (value);
++      if (self->md5 != NULL && self->md5[0] != '\0')
++        {
++          g_printerr ("The \"md5\" source property is deprecated due to the weakness of MD5 hashes.\n");
++          g_printerr ("Use the \"sha256\" property for the more secure SHA256 hash.\n");
++        }
++
+       break;
+ 
+     case PROP_SHA1:
+       g_free (self->sha1);
+       self->sha1 = g_value_dup_string (value);
++      if (self->sha1 != NULL && self->sha1[0] != '\0')
++        {
++          g_printerr ("The \"sha1\" source property is deprecated due to the weakness of SHA1 hashes.\n");
++          g_printerr ("Use the \"sha256\" property for the more secure SHA256 hash.\n");
++        }
++
+       break;
+ 
+     case PROP_SHA256:
+-- 
+2.34.1
+

flatpak-builder.spec

@@ -4,7 +4,7 @@
 
 Name:           flatpak-builder
 Version:        1.0.14
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Tool to build flatpaks from source
 
 # src/builder-utils.c has portions derived from GPLv2+ code,
@@ -13,6 +13,9 @@ License:        LGPLv2+ and GPLv2+
 URL:            http://flatpak.org/
 Source0:        https://github.com/flatpak/flatpak-builder/releases/download/%{version}/%{name}-%{version}.tar.xz
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=1935509
+Patch0:         flatpak-builder-source-archive-source-file-Deprecate-MD5-and-SHA1-ha.patch
+
 BuildRequires:  gettext
 BuildRequires:  docbook-dtds
 BuildRequires:  docbook-style-xsl
@@ -81,6 +84,10 @@ See http://flatpak.org/ for more information.
 
 
 %changelog
+* Wed Feb 02 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.0.14-2
+- Deprecate MD5 and SHA1 hashes
+Resolves: #1935509
+
 * Thu Sep 23 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.0.14-1
 - Update to 1.0.14
 Resolves: #2006557