[bitbake-devel][PATCH] fetch: Upgrade shown checksum to SHA-512

[bitbake-devel][PATCH] fetch: Upgrade shown checksum to SHA-512

[Joshua Watt]

Regulatory standards for Software Bill of Materials like BSI TR-03183
[1] are requiring SHA 512 as the minimum checksum for validation.
Upgrade the checksum suggested by the bitbake fetcher to align with this
requirement.

Note that the checker has allowed SHA 512 as the checksum for some time
now, this only changes the checksum that is suggested by tooling.

[1]: https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/TR-nach-Thema-sortiert/tr03183/TR-03183_node.html

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
---
 lib/bb/fetch2/__init__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/bb/fetch2/__init__.py b/lib/bb/fetch2/__init__.py
index f7d5dfe9a..1e78c4fda 100644
--- a/lib/bb/fetch2/__init__.py
+++ b/lib/bb/fetch2/__init__.py
@@ -35,7 +35,7 @@ _revisions_cache = bb.checksum.RevisionsCache()
 logger = logging.getLogger("BitBake.Fetcher")
 
 CHECKSUM_LIST = [ "goh1", "md5", "sha256", "sha1", "sha384", "sha512" ]
-SHOWN_CHECKSUM_LIST = ["sha256"]
+SHOWN_CHECKSUM_LIST = ["sha256", "sha512"]
 
 class BBFetchException(Exception):
     """Class all fetch exceptions inherit from"""
-- 
2.54.0

Re: [bitbake-devel][PATCH] fetch: Upgrade shown checksum to SHA-512

[Alexander Kanavin]

On Wed, 13 May 2026 at 16:46, Joshua Watt via lists.openembedded.org
<JPEWhacker=gmail.com@lists.openembedded.org> wrote:
>  CHECKSUM_LIST = [ "goh1", "md5", "sha256", "sha1", "sha384", "sha512" ]
> -SHOWN_CHECKSUM_LIST = ["sha256"]
> +SHOWN_CHECKSUM_LIST = ["sha256", "sha512"]

This raises so many questions :)
- why suggest adding/fixing both sha256 and sha512 to users, and not
just sha512? One checksum is enough, and causes less visual clutter in
recipes
- if sha512 is suggested, should devtool be tweaked to add that in
version upgrades and newly added recipes? (something similar was
previously done to assist md5 to sha256 transition)
- last but not least, should we look into adding support for better,
newer ways to identify commits in git, replacing the classic,
not-that-secure sha1 ?

Alex

Re: [bitbake-devel][PATCH] fetch: Upgrade shown checksum to SHA-512

[Joshua Watt]

On Wed, May 13, 2026 at 2:21 PM Alexander Kanavin
<alex.kanavin@gmail.com> wrote:
>
> On Wed, 13 May 2026 at 16:46, Joshua Watt via lists.openembedded.org
> <JPEWhacker=gmail.com@lists.openembedded.org> wrote:
> >  CHECKSUM_LIST = [ "goh1", "md5", "sha256", "sha1", "sha384", "sha512" ]
> > -SHOWN_CHECKSUM_LIST = ["sha256"]
> > +SHOWN_CHECKSUM_LIST = ["sha256", "sha512"]
>
> This raises so many questions :)
> - why suggest adding/fixing both sha256 and sha512 to users, and not
> just sha512? One checksum is enough, and causes less visual clutter in
> recipes

I suspect we'd want to make SHA-512 the only option by the next LTS. I
don't have a strong opinion if we do that now or in a future release.

> - if sha512 is suggested, should devtool be tweaked to add that in
> version upgrades and newly added recipes? (something similar was
> previously done to assist md5 to sha256 transition)

Probably, but only if we make SHA 512 the only option, so see above.

> - last but not least, should we look into adding support for better,
> newer ways to identify commits in git, replacing the classic,
> not-that-secure sha1 ?

I've not seen any guidance about what to do with git SHAs in e.g. BSI
TR-03183, so I'm operating under the assumption that SHA 1 is fine for
now. If you know of a better way to do it, and/or see some
specification that demands we do something different, we can discuss
that. Either way, I would consider changing the way git works as out
of scope for this change.

>
> Alex

Re: [bitbake-devel][PATCH] fetch: Upgrade shown checksum to SHA-512

[Richard Purdie]

On Wed, 2026-05-13 at 08:46 -0600, Joshua Watt via lists.openembedded.org wrote:
> Regulatory standards for Software Bill of Materials like BSI TR-03183
> [1] are requiring SHA 512 as the minimum checksum for validation.
> Upgrade the checksum suggested by the bitbake fetcher to align with this
> requirement.
> 
> Note that the checker has allowed SHA 512 as the checksum for some time
> now, this only changes the checksum that is suggested by tooling.
> 
> [1]: https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/TR-nach-Thema-sortiert/tr03183/TR-03183_node.html
> 
> Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
> ---
>  lib/bb/fetch2/__init__.py | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/lib/bb/fetch2/__init__.py b/lib/bb/fetch2/__init__.py
> index f7d5dfe9a..1e78c4fda 100644
> --- a/lib/bb/fetch2/__init__.py
> +++ b/lib/bb/fetch2/__init__.py
> @@ -35,7 +35,7 @@ _revisions_cache = bb.checksum.RevisionsCache()
>  logger = logging.getLogger("BitBake.Fetcher")
>  
>  CHECKSUM_LIST = [ "goh1", "md5", "sha256", "sha1", "sha384", "sha512" ]
> -SHOWN_CHECKSUM_LIST = ["sha256"]
> +SHOWN_CHECKSUM_LIST = ["sha256", "sha512"]
>  
>  class BBFetchException(Exception):
>      """Class all fetch exceptions inherit from"""
> 

This change will need a tweak to one of the devtool tests:

devtool.DevtoolUpgradeTests.test_devtool_upgrade_drop_md5sum

https://autobuilder.yoctoproject.org/valkyrie/#/builders/48/builds/3720
https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/3853

Cheers,

Richard