Skip to content

Stop recording MD5 fingerprint for keys

Proposal

Follow-on from #195668 (closed)

Once we are looking up SSH keys by SHA256 fingerprint, we have no more use for the MD5 fingerprint. Further, generating the fingerprint is impossible in FIPS-enforcing environments; trying to do so means the operation will fail.

I propose we stop generating the MD5 fingerprint on key addition, and remove the keys.fingerprint column entirely from the database.

It may still be valuable to display the MD5 fingerprint; we could do that on-demand, when viewing the page for a key, instead of when adding the key. They're cheap to calculate; we only store them in the DB for search purposes. We could skip attempting to do so when in a FIPS-enforcing environment.