Moving from sha1 to sha256

jbruns2017 · August 27, 2021, 1:43pm

Anyone have experience moving Bigfix from sha1 to sha256 they would care to share their experiences?

Obviously, the enhanced security has to be turned on and that forces all clients to be 9.1 or higher.

My concern is any user written tasks or fixlets that use a .tmp file that was generated using sha1.

I would envision:

Gather the new sha256 value for all folders residing in the \uploads folder
The \uploads folder names would need to be renamed to new sha256 value
The tasks/fixlets edited for that new sha256 value

Scripts would run the entire show but wondering what I am missing.

vk.khurava · August 27, 2021, 2:33pm

yes, but sha256 will be your 2nd choice of option to enable however if you are sure there are many fixlet/task which dont have sha256 will be surely impacted hence just go with enhanced security but dont enable sha256 option till the time you are not done with such type of fixlet/tasks.

Point to remember if anyone have created any fixlet/task with the help of software distribution wizard & not manual uploaded files then those are secure ones because whenever you use SD wizard it will always going to create both values.

You can use custom filter look into fixlet/task which dont contain sha256 & that should be main focus point to resolve.

jbruns2017 · August 27, 2021, 2:57pm

Thanks for the insight.

When we run the v10 wizard, we see for example:

prefetch 80fb54a6645727d3d26c7913113df57688f9f955 sha1:80fb54a6645727d3d26c7913113df57688f9f955 size:5057 http://site:52311/Uploads/80fb54a6645727d3d26c7913113df57688f9f955/testing.txt.tmp sha256:bccbc9d3ec7ddb5393109a5a6a055b3b49ba54cd175f14731938b8cc9f671fd3
extract 80fb54a6645727d3d26c7913113df57688f9f955
wait __Download\testing.txt

Notice the extract statement.

That seems to be using the sha1 value.

When we turn on ES and the sha256 requirement, would the wizard then produce an extract statement for the sha256 value?

When we flip on the sha256, all of our tasks/fixlets would have to be edited/saved to use the sha256 value right?

vk.khurava · August 27, 2021, 3:08pm

no, its using both values

Yes, if there will be any! And to find out you can use Custom Filter to search fixlet/task which are visible & dont contain sha256 in action script

brolly33 · August 31, 2021, 5:35pm

The prefetch pulls the file and validates the sha256 and then names the file to 80fb54a6645727d3d26c7913113df57688f9f955 .

The extract is just extracting the file with the name 80fb54a6645727d3d26c7913113df57688f9f955.
We are not doing any calculations or validations with that file name, which happens to be the sha1 of the file as well. if you changed that name to something else, like bob, the action script would still work the same.

prefetch bob sha1:80fb54a6645727d3d26c7913113df57688f9f955 size:5057 http://site:52311/Uploads/80fb54a6645727d3d26c7913113df57688f9f955/testing.txt.tmp sha256:bccbc9d3ec7ddb5393109a5a6a055b3b49ba54cd175f14731938b8cc9f671fd3
extract bob
wait __Download\testing.txt

Use of sha1 in the file name is cosmetic in that part of the action script.

jbruns2017 · September 1, 2021, 12:51pm

Thanks for that information fellas.

Does the \Program Files (x86)\BigFix Enterprise\BES Server\UploadManagerData\BufferDir\sha1 folder name change to \Program Files (x86)\BigFix Enterprise\BES Server\UploadManagerData\BufferDir\sha256 after you turn on enhanced security?

vk.khurava · September 1, 2021, 2:03pm

noap ! nothing like that, it will remain same.