On 01/20/2016 04:39 AM, Johnny Hughes wrote:> On 01/20/2016 01:37 AM, Alice Wonder wrote: >> hi, >> >> I noticed that RPM packages I sign use SHA1 >> >> Signature : RSA/SHA1, Fri 08 Jan 2016 10:50:58 AM PST, Key ID >> ad3b591d147abf59 >> >> Signatures from CentOS 7 use SHA256 >> >> Signature : RSA/SHA256, Wed 06 Jan 2016 08:54:58 AM PST, Key ID >> 24c6a8a7f4a80eb5 >> >> I'm trying to find where / how to use sha256 when I sign packages but I >> am not having much luck. Closest I have found is this : >> >> https://fedoraproject.org/wiki/RPM_file_format_changes_to_support_SHA-256 >> >> That page appears to be from 2009 and six years is a really long time, >> things change a lot. >> >> Is there an up to date reference somewhere on RPM package signing that I >> haven't stumbled upon yet? >> >> SHA1 is broken. I shouldn't be using it. >> >> CentOS 7 is all I build packages for. >> > > In your .rpmmacros file .. try setting: > > _binary_filedigest_algorithm SHA256 > > or from the command line: > > rpm --define '_binary_filedigest_algorithm SHA256' <current_line> > > ====> > if some some reason it does not like the SAH256 value .. try 8 instead. So: > > rpm --define '_binary_filedigest_algorithm 8' > > or in .rpmmacros: > > _binary_filedigest_algorithm 8 >There is another one as well: --define "_source_filedigest_algorithm 8" --define "_binary_filedigest_algorithm 8" Defining it in the .rpmmacros would be best .. I think otherwise you would need to define it in youe rpmbild line AND your rpm signature line. Are you building your rpms in mock or from rpmbuild on the command line? If I do this on my default c7 install, I get that as the default: [jhughes at localhost ~]$ rpmbuild --showrc | grep filedigest_algorithm -14: _binary_filedigest_algorithm 8 -14: _source_filedigest_algorithm 8 Not sure how you got it to do it in SHA1 :) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20160120/2f109ef3/attachment-0001.sig>
On 01/20/2016 04:48 AM, Johnny Hughes wrote:> On 01/20/2016 04:39 AM, Johnny Hughes wrote: >> On 01/20/2016 01:37 AM, Alice Wonder wrote: >>> hi, >>> >>> I noticed that RPM packages I sign use SHA1 >>> >>> Signature : RSA/SHA1, Fri 08 Jan 2016 10:50:58 AM PST, Key ID >>> ad3b591d147abf59 >>> >>> Signatures from CentOS 7 use SHA256 >>> >>> Signature : RSA/SHA256, Wed 06 Jan 2016 08:54:58 AM PST, Key ID >>> 24c6a8a7f4a80eb5 >>> >>> I'm trying to find where / how to use sha256 when I sign packages but I >>> am not having much luck. Closest I have found is this : >>> >>> https://fedoraproject.org/wiki/RPM_file_format_changes_to_support_SHA-256 >>> >>> That page appears to be from 2009 and six years is a really long time, >>> things change a lot. >>> >>> Is there an up to date reference somewhere on RPM package signing that I >>> haven't stumbled upon yet? >>> >>> SHA1 is broken. I shouldn't be using it. >>> >>> CentOS 7 is all I build packages for. >>> >> >> In your .rpmmacros file .. try setting: >> >> _binary_filedigest_algorithm SHA256 >> >> or from the command line: >> >> rpm --define '_binary_filedigest_algorithm SHA256' <current_line> >> >> ====>> >> if some some reason it does not like the SAH256 value .. try 8 instead. So: >> >> rpm --define '_binary_filedigest_algorithm 8' >> >> or in .rpmmacros: >> >> _binary_filedigest_algorithm 8 >> > > There is another one as well: > > --define "_source_filedigest_algorithm 8" > > --define "_binary_filedigest_algorithm 8" > > > Defining it in the .rpmmacros would be best .. I think otherwise you > would need to define it in youe rpmbild line AND your rpm signature line. > > Are you building your rpms in mock or from rpmbuild on the command line? > > If I do this on my default c7 install, I get that as the default: > > [jhughes at localhost ~]$ rpmbuild --showrc | grep filedigest_algorithm > -14: _binary_filedigest_algorithm 8 > -14: _source_filedigest_algorithm 8 > > Not sure how you got it to do it in SHA1 :)One last thought .. are you using something like: --force-v3-sigs in your signing command line? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20160120/fb7db0b1/attachment-0001.sig>
On 01/20/2016 04:52 AM, Johnny Hughes wrote:> On 01/20/2016 04:48 AM, Johnny Hughes wrote: >> On 01/20/2016 04:39 AM, Johnny Hughes wrote: >>> On 01/20/2016 01:37 AM, Alice Wonder wrote: >>>> hi, >>>> >>>> I noticed that RPM packages I sign use SHA1 >>>> >>>> Signature : RSA/SHA1, Fri 08 Jan 2016 10:50:58 AM PST, Key ID >>>> ad3b591d147abf59 >>>> >>>> Signatures from CentOS 7 use SHA256 >>>> >>>> Signature : RSA/SHA256, Wed 06 Jan 2016 08:54:58 AM PST, Key ID >>>> 24c6a8a7f4a80eb5 >>>> >>>> I'm trying to find where / how to use sha256 when I sign packages but I >>>> am not having much luck. Closest I have found is this : >>>> >>>> https://fedoraproject.org/wiki/RPM_file_format_changes_to_support_SHA-256 >>>> >>>> That page appears to be from 2009 and six years is a really long time, >>>> things change a lot. >>>> >>>> Is there an up to date reference somewhere on RPM package signing that I >>>> haven't stumbled upon yet? >>>> >>>> SHA1 is broken. I shouldn't be using it. >>>> >>>> CentOS 7 is all I build packages for. >>>> >>> >>> In your .rpmmacros file .. try setting: >>> >>> _binary_filedigest_algorithm SHA256 >>> >>> or from the command line: >>> >>> rpm --define '_binary_filedigest_algorithm SHA256' <current_line> >>> >>> ====>>> >>> if some some reason it does not like the SAH256 value .. try 8 instead. So: >>> >>> rpm --define '_binary_filedigest_algorithm 8' >>> >>> or in .rpmmacros: >>> >>> _binary_filedigest_algorithm 8 >>> >> >> There is another one as well: >> >> --define "_source_filedigest_algorithm 8" >> >> --define "_binary_filedigest_algorithm 8" >> >> >> Defining it in the .rpmmacros would be best .. I think otherwise you >> would need to define it in youe rpmbild line AND your rpm signature line. >> >> Are you building your rpms in mock or from rpmbuild on the command line? >> >> If I do this on my default c7 install, I get that as the default: >> >> [jhughes at localhost ~]$ rpmbuild --showrc | grep filedigest_algorithm >> -14: _binary_filedigest_algorithm 8 >> -14: _source_filedigest_algorithm 8 >> >> Not sure how you got it to do it in SHA1 :) > > One last thought .. are you using something like: > > --force-v3-sigs > > in your signing command line?If you are building in mock .. you would do it like this int he mock config with the other variables: config_opts['macros']['%_binary_filedigest_algorithm'] = "8" config_opts['macros']['%_source_filedigest_algorithm'] = "8" But again, building on a c7 machine, it should be the default. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20160120/7a5595da/attachment-0001.sig>