Version 2 of SWHID, ISO/IEC 18670:2025?
Pol Dellaiera
pol.dellaiera at gmail.com
Mon Jan 19 14:42:00 UTC 2026
Hello,
Indeed, SWHIDs rely internally on the SHA-1 algorithm. However, the hash
is not computed over raw file contents alone. Instead, it is computed
over a structured byte sequence that includes the object’s type and
length, followed by its content. This domain separation significantly
reduces the applicability of known SHA-1 collision attacks.
It is also important to note that SHA-1 is used here for identification,
not for cryptographic security. The threat model for SWHIDs is content
addressing and stable identification of source code artefacts, not
adversarial collision resistance in a cryptographic sense.
That said, the SWHID specification explicitly includes a version
component in the identifier scheme. This design choice allows for future
evolution, including the introduction of stronger hash algorithms, while
preserving backward compatibility. In that sense, algorithm agility was
anticipated from the start, even if SHA-1 remains the current default.
Best regards.
On 2026.01.19 15:21, kpcyrd wrote:
> Hello!
>
> Today I learned that SWHID (also known as ISO/IEC 18670:2025) was
> published 1.0 in 2022 and ISO standardized in 2025, but uses the
> insecure[1][2] SHA-1 as core cryptographic primitive[3].
>
> Does somebody know if there's any efforts to upgrade this to sha256,
> sha3-256, blake2b, blake3 or similar algorithms suitable for secure
> content-addressing?
>
> thanks,
> kpcyrd
>
> [1]: https://shattered.io/ (Feb 23, 2017)
> [2]: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/
> nistspecialpublication800-131a.pdf (SHA-1 deprecation notice from
> January 2011, pretty much exactly 15 years ago)
> [3]: https://www.swhid.org/specification/v1.2/5.Core_identifiers/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20260119/4692a11c/attachment.sig>
More information about the rb-general
mailing list