# B23 — cmake/packaging.cmake: CPACK_PACKAGE_CHECKSUM "SHA1"

Bug ref      : always.md B.23 ; pharo.md §7
Severity     : LOW (SHA-1 is collision-broken; ship-time integrity check weakens)
File         : cmake/packaging.cmake
Lines (HEAD) : 92 (`set(CPACK_PACKAGE_CHECKSUM "SHA1")`)

## Problem

```cmake
set(CPACK_PACKAGE_CHECKSUM "SHA1")
```

SHA-1 collisions were demonstrated in 2017 (SHAttered) and chosen-
prefix collisions in 2019. A downstream consumer verifying a Pharo
package by its `.sha1` is no longer getting a meaningful integrity
guarantee.

## Fix

```diff
diff --git a/cmake/packaging.cmake b/cmake/packaging.cmake
index 4727d56e0..7b0e5758d 100644
--- a/cmake/packaging.cmake
+++ b/cmake/packaging.cmake
@@ -89,7 +89,9 @@ else()
 endif()
 
 set(CPACK_PACKAGE_DIRECTORY "${CMAKE_CURRENT_BINARY_DIR}/build/packages")
-set(CPACK_PACKAGE_CHECKSUM "SHA1")
+## SHA-1 is collision-broken (SHAttered 2017; chosen-prefix collisions 2019).
+## Downstream consumers that read *.sha1 must be updated to read *.sha256.
+set(CPACK_PACKAGE_CHECKSUM "SHA256")
 set(CPACK_GENERATOR "ZIP" "TGZ")
 set(CPACK_INCLUDE_TOPLEVEL_DIRECTORY TRUE)

```

Update any downstream consumers (CI scripts, mirror scripts) that
expect a `.sha1` next to the artifact to consume `.sha256` instead.

```bash
# scripts/runTests.sh and any other consumer
-cp -f build/packages/*.zip build/packages/*.sha1 ../artifacts
+cp -f build/packages/*.zip build/packages/*.sha256 ../artifacts
```

## Test plan

- `make package`: produces `*.zip` + `*.sha256` instead of `*.sha1`.
- Verify consumers (Jenkinsfile artifact stash, GitHub Actions
  upload, mirror script) reference `*.sha256` after the update.

## Risk notes

- Old consumers expecting `.sha1` will fail on the next build —
  intentional, since they will then be updated.
- Worth keeping `.sha1` for one release as a deprecation aid:
  `set(CPACK_PACKAGE_CHECKSUM "SHA256;SHA1")` if CPack supports
  multiple. Verify with the installed CPack version.