Merge pull request #6986 from libgit2/ethomson/warn_sha1

ethomson · web-flow · commit a8fbbf77b829 · 2024-12-28T09:58:25.000Z
cmake: warn for not using sha1dc
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -150,3 +150,9 @@ endif()
 
 feature_summary(WHAT ENABLED_FEATURES DESCRIPTION "Enabled features:")
 feature_summary(WHAT DISABLED_FEATURES DESCRIPTION "Disabled features:")
+
+# warn for not using sha1dc
+
+foreach(WARNING ${WARNINGS})
+	message(WARNING ${WARNING})
+endforeach()
diff --git a/cmake/SelectHashes.cmake b/cmake/SelectHashes.cmake
@@ -112,3 +112,10 @@ endif()
 
 add_feature_info(SHA1 ON "using ${USE_SHA1}")
 add_feature_info(SHA256 ON "using ${USE_SHA256}")
+
+# warn for users who do not use sha1dc
+
+if(NOT "${USE_SHA1}" STREQUAL "CollisionDetection")
+	list(APPEND WARNINGS "SHA1 support is set to ${USE_SHA1} which is not recommended - git's hash algorithm is sha1dc, it is *not* SHA1. Using SHA1 may leave you and your users susceptible to SHAttered-style attacks.")
+	set(WARNINGS ${WARNINGS} PARENT_SCOPE)
+endif()
diff --git a/docs/changelog.md b/docs/changelog.md
@@ -252,6 +252,8 @@ will introduce a number of breaking changes in v2.0:
   https://github.com/libgit2/libgit2/pull/6924
 * ci: port latest fixes to nightlies by @ethomson in
   https://github.com/libgit2/libgit2/pull/6926
+* cmake: warn for not using sha1dc by @ethomson in
+  https://github.com/libgit2/libgit2/pull/6986
 
 ### Documentation improvements
 
