Add SHA-2 Support

[dweekly]

As of 2020 SHA-1, sadly, no longer provides strong signing assurance. SHA1 was cracked in 2017. As of 2020 it costs under $50k to crack, causing OpenSSH to deprecate SHA-1.

We could use mature, stronger hashing algorithms like SHA-2 (SHA-256), or SHA-3. A variety of Perl libraries are available already that implement SHA-2 and SHA-3. An ideal would be for us to assume the need to change signature standards periodically (on the order of about once a decade). Of existing Perl SHA-2 and SHA-3 implementations, Digest::SHA already includes SHA-256 support and is already part of perl core as of 5.9.3, so seems the safest bet.

Note that PAUSE will of course also need to be updated to emit these new signatures, as well as (lower-priority) also encouraging individual authors who have included signatures in their modules to update the quality of those signatures. The PAUSE issue tracking this is 352.

This request is part of a larger effort to Secure Perl.

[karenetheridge]

Given that this module author is now a member of a nation's cabinet, I doubt she has time to do this work; would you be able to put together a pull request?

[dweekly]

Given that this module author is now a member of a nation's cabinet, I doubt she has time to do this work; would you be able to put together a pull request?

My goodness, that is about the most badass reason I can think of to be indisposed. I'll try and pull something together and reference this issue.

[dweekly]

Interesting, I seem to have missed that SHA256 already was included in 0.82 as of August 2018.

https://github.com/audreyt/module-signature/commit/4515ae5d44dbb1ac48c578f2214a64c371c3c675

The issue then is that it is simply the documentation is out of date in referencing SHA1 as the default.

[dweekly]

Documentation update to reflect the 0.82 reality: https://github.com/audreyt/module-signature/pull/29