Are there any plans to switch to SHA2 for addon signing?

Hi,

I see that addons signing uses SHA1 and MD5. Now they both have collision attacks. Are there any plans to switch to SHA2 or something else? Should I report a bug?

From what I see the problem is not that big since they use both SHA1 and MD5 and the chances to get a collision on both on the same hash are pretty small from what I can figure.

Andrei

I don’t think that has been reported yet. You can report it here: https://github.com/mozilla/addons-server/issues/new

Thank you for the reply.

I reported a bug https://github.com/mozilla/addons-server/issues/4933