Hi everyone,
I'm pleased to announce the release of version 0.2.7 of sha1collisiondetection, our low-level library that implements SHA-1, which also detects and foils known SHA-1 collision attacks.
I have published sha1collisiondetection on crates.io:
https://crates.io/crates/sha1collisiondetection
You can also fetch version 0.2.7 using the v0.2.7 tag:
https://gitlab.com/sequoia-pgp/sha1collisiondetection/-/tags/v0.2.7
which I signed:
$ git verify-tag v0.2.7 gpg: Signature made Fri May 5 11:15:31 2023 CEST gpg: using EDDSA key E7E2B84A36457BEA3F43692DE68BE3B312FA33FC gpg: issuer "wiktor@metacode.biz" gpg: Good signature from "Wiktor Kwapisiewicz wiktor@metacode.biz"
There is one significant change in this release: we fixed the code that incorrectly assumed that unaligned memory accesses are okay on x86 and x86_64 [0]. The nightly version of the Rust compiler started checking for this kind of issue recently [1][2] and because of that any code that transitively depended on sha1collisiondetection (e.g. crates using sequoia-openpgp) panicked when running tests.
The underlying issue [3] was reported to us by Sosthene from Nitrokey as well as Kushal Das. Thank you!
Wiktor on behalf of the whole Sequoia PGP team
[0]: https://gitlab.com/sequoia-pgp/sha1collisiondetection/-/merge_requests/13 [1]: https://gitlab.com/sequoia-pgp/sha1collisiondetection/-/merge_requests/13 [2]: https://github.com/rust-lang/rust/pull/98112 [3]: https://gitlab.com/sequoia-pgp/sha1collisiondetection/-/issues/7