hi, I noticed that RPM packages I sign use SHA1 Signature : RSA/SHA1, Fri 08 Jan 2016 10:50:58 AM PST, Key ID ad3b591d147abf59 Signatures from CentOS 7 use SHA256 Signature : RSA/SHA256, Wed 06 Jan 2016 08:54:58 AM PST, Key ID 24c6a8a7f4a80eb5 I'm trying to find where / how to use sha256 when I sign packages but I am not having much luck. Closest I have found is this : https://fedoraproject.org/wiki/RPM_file_format_changes_to_support_SHA-256 That page appears to be from 2009 and six years is a really long time, things change a lot. Is there an up to date reference somewhere on RPM package signing that I haven't stumbled upon yet? SHA1 is broken. I shouldn't be using it. CentOS 7 is all I build packages for. Thank you.
On 01/20/2016 01:37 AM, Alice Wonder wrote:> hi, > > I noticed that RPM packages I sign use SHA1 > > Signature : RSA/SHA1, Fri 08 Jan 2016 10:50:58 AM PST, Key ID > ad3b591d147abf59 > > Signatures from CentOS 7 use SHA256 > > Signature : RSA/SHA256, Wed 06 Jan 2016 08:54:58 AM PST, Key ID > 24c6a8a7f4a80eb5 > > I'm trying to find where / how to use sha256 when I sign packages but I > am not having much luck. Closest I have found is this : > > https://fedoraproject.org/wiki/RPM_file_format_changes_to_support_SHA-256 > > That page appears to be from 2009 and six years is a really long time, > things change a lot. > > Is there an up to date reference somewhere on RPM package signing that I > haven't stumbled upon yet? > > SHA1 is broken. I shouldn't be using it. > > CentOS 7 is all I build packages for. >In your .rpmmacros file .. try setting: _binary_filedigest_algorithm SHA256 or from the command line: rpm --define '_binary_filedigest_algorithm SHA256' <current_line> ==== if some some reason it does not like the SAH256 value .. try 8 instead. So: rpm --define '_binary_filedigest_algorithm 8' or in .rpmmacros: _binary_filedigest_algorithm 8 Thanks, Johnny Hughes -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20160120/6545e622/attachment.sig>
On 01/20/2016 04:39 AM, Johnny Hughes wrote:> On 01/20/2016 01:37 AM, Alice Wonder wrote: >> hi, >> >> I noticed that RPM packages I sign use SHA1 >> >> Signature : RSA/SHA1, Fri 08 Jan 2016 10:50:58 AM PST, Key ID >> ad3b591d147abf59 >> >> Signatures from CentOS 7 use SHA256 >> >> Signature : RSA/SHA256, Wed 06 Jan 2016 08:54:58 AM PST, Key ID >> 24c6a8a7f4a80eb5 >> >> I'm trying to find where / how to use sha256 when I sign packages but I >> am not having much luck. Closest I have found is this : >> >> https://fedoraproject.org/wiki/RPM_file_format_changes_to_support_SHA-256 >> >> That page appears to be from 2009 and six years is a really long time, >> things change a lot. >> >> Is there an up to date reference somewhere on RPM package signing that I >> haven't stumbled upon yet? >> >> SHA1 is broken. I shouldn't be using it. >> >> CentOS 7 is all I build packages for. >> > > In your .rpmmacros file .. try setting: > > _binary_filedigest_algorithm SHA256 > > or from the command line: > > rpm --define '_binary_filedigest_algorithm SHA256' <current_line> > > ====> > if some some reason it does not like the SAH256 value .. try 8 instead. So: > > rpm --define '_binary_filedigest_algorithm 8' > > or in .rpmmacros: > > _binary_filedigest_algorithm 8 >There is another one as well: --define "_source_filedigest_algorithm 8" --define "_binary_filedigest_algorithm 8" Defining it in the .rpmmacros would be best .. I think otherwise you would need to define it in youe rpmbild line AND your rpm signature line. Are you building your rpms in mock or from rpmbuild on the command line? If I do this on my default c7 install, I get that as the default: [jhughes at localhost ~]$ rpmbuild --showrc | grep filedigest_algorithm -14: _binary_filedigest_algorithm 8 -14: _source_filedigest_algorithm 8 Not sure how you got it to do it in SHA1 :) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20160120/2f109ef3/attachment-0001.sig>