hi,
I noticed that RPM packages I sign use SHA1
Signature : RSA/SHA1, Fri 08 Jan 2016 10:50:58 AM PST, Key ID ad3b591d147abf59
Signatures from CentOS 7 use SHA256
Signature : RSA/SHA256, Wed 06 Jan 2016 08:54:58 AM PST, Key ID 24c6a8a7f4a80eb5
I'm trying to find where / how to use sha256 when I sign packages but I am not having much luck. Closest I have found is this :
https://fedoraproject.org/wiki/RPM_file_format_changes_to_support_SHA-256
That page appears to be from 2009 and six years is a really long time, things change a lot.
Is there an up to date reference somewhere on RPM package signing that I haven't stumbled upon yet?
SHA1 is broken. I shouldn't be using it.
CentOS 7 is all I build packages for.
Thank you.
On 01/20/2016 01:37 AM, Alice Wonder wrote:
hi,
I noticed that RPM packages I sign use SHA1
Signature : RSA/SHA1, Fri 08 Jan 2016 10:50:58 AM PST, Key ID ad3b591d147abf59
Signatures from CentOS 7 use SHA256
Signature : RSA/SHA256, Wed 06 Jan 2016 08:54:58 AM PST, Key ID 24c6a8a7f4a80eb5
I'm trying to find where / how to use sha256 when I sign packages but I am not having much luck. Closest I have found is this :
https://fedoraproject.org/wiki/RPM_file_format_changes_to_support_SHA-256
That page appears to be from 2009 and six years is a really long time, things change a lot.
Is there an up to date reference somewhere on RPM package signing that I haven't stumbled upon yet?
SHA1 is broken. I shouldn't be using it.
CentOS 7 is all I build packages for.
In your .rpmmacros file .. try setting:
_binary_filedigest_algorithm SHA256
or from the command line:
rpm --define '_binary_filedigest_algorithm SHA256' <current_line>
=====
if some some reason it does not like the SAH256 value .. try 8 instead. So:
rpm --define '_binary_filedigest_algorithm 8'
or in .rpmmacros:
_binary_filedigest_algorithm 8
Thanks, Johnny Hughes
On 01/20/2016 04:39 AM, Johnny Hughes wrote:
On 01/20/2016 01:37 AM, Alice Wonder wrote:
hi,
I noticed that RPM packages I sign use SHA1
Signature : RSA/SHA1, Fri 08 Jan 2016 10:50:58 AM PST, Key ID ad3b591d147abf59
Signatures from CentOS 7 use SHA256
Signature : RSA/SHA256, Wed 06 Jan 2016 08:54:58 AM PST, Key ID 24c6a8a7f4a80eb5
I'm trying to find where / how to use sha256 when I sign packages but I am not having much luck. Closest I have found is this :
https://fedoraproject.org/wiki/RPM_file_format_changes_to_support_SHA-256
That page appears to be from 2009 and six years is a really long time, things change a lot.
Is there an up to date reference somewhere on RPM package signing that I haven't stumbled upon yet?
SHA1 is broken. I shouldn't be using it.
CentOS 7 is all I build packages for.
In your .rpmmacros file .. try setting:
_binary_filedigest_algorithm SHA256
or from the command line:
rpm --define '_binary_filedigest_algorithm SHA256' <current_line>
=====
if some some reason it does not like the SAH256 value .. try 8 instead. So:
rpm --define '_binary_filedigest_algorithm 8'
or in .rpmmacros:
_binary_filedigest_algorithm 8
There is another one as well:
--define "_source_filedigest_algorithm 8"
--define "_binary_filedigest_algorithm 8"
Defining it in the .rpmmacros would be best .. I think otherwise you would need to define it in youe rpmbild line AND your rpm signature line.
Are you building your rpms in mock or from rpmbuild on the command line?
If I do this on my default c7 install, I get that as the default:
[jhughes@localhost ~]$ rpmbuild --showrc | grep filedigest_algorithm -14: _binary_filedigest_algorithm 8 -14: _source_filedigest_algorithm 8
Not sure how you got it to do it in SHA1 :)
On 01/20/2016 04:48 AM, Johnny Hughes wrote:
On 01/20/2016 04:39 AM, Johnny Hughes wrote:
On 01/20/2016 01:37 AM, Alice Wonder wrote:
hi,
I noticed that RPM packages I sign use SHA1
Signature : RSA/SHA1, Fri 08 Jan 2016 10:50:58 AM PST, Key ID ad3b591d147abf59
Signatures from CentOS 7 use SHA256
Signature : RSA/SHA256, Wed 06 Jan 2016 08:54:58 AM PST, Key ID 24c6a8a7f4a80eb5
I'm trying to find where / how to use sha256 when I sign packages but I am not having much luck. Closest I have found is this :
https://fedoraproject.org/wiki/RPM_file_format_changes_to_support_SHA-256
That page appears to be from 2009 and six years is a really long time, things change a lot.
Is there an up to date reference somewhere on RPM package signing that I haven't stumbled upon yet?
SHA1 is broken. I shouldn't be using it.
CentOS 7 is all I build packages for.
In your .rpmmacros file .. try setting:
_binary_filedigest_algorithm SHA256
or from the command line:
rpm --define '_binary_filedigest_algorithm SHA256' <current_line>
=====
if some some reason it does not like the SAH256 value .. try 8 instead. So:
rpm --define '_binary_filedigest_algorithm 8'
or in .rpmmacros:
_binary_filedigest_algorithm 8
There is another one as well:
--define "_source_filedigest_algorithm 8"
--define "_binary_filedigest_algorithm 8"
Defining it in the .rpmmacros would be best .. I think otherwise you would need to define it in youe rpmbild line AND your rpm signature line.
Are you building your rpms in mock or from rpmbuild on the command line?
If I do this on my default c7 install, I get that as the default:
[jhughes@localhost ~]$ rpmbuild --showrc | grep filedigest_algorithm -14: _binary_filedigest_algorithm 8 -14: _source_filedigest_algorithm 8
Not sure how you got it to do it in SHA1 :)
One last thought .. are you using something like:
--force-v3-sigs
in your signing command line?
On 01/20/2016 04:52 AM, Johnny Hughes wrote:
On 01/20/2016 04:48 AM, Johnny Hughes wrote:
On 01/20/2016 04:39 AM, Johnny Hughes wrote:
On 01/20/2016 01:37 AM, Alice Wonder wrote:
hi,
I noticed that RPM packages I sign use SHA1
Signature : RSA/SHA1, Fri 08 Jan 2016 10:50:58 AM PST, Key ID ad3b591d147abf59
Signatures from CentOS 7 use SHA256
Signature : RSA/SHA256, Wed 06 Jan 2016 08:54:58 AM PST, Key ID 24c6a8a7f4a80eb5
I'm trying to find where / how to use sha256 when I sign packages but I am not having much luck. Closest I have found is this :
https://fedoraproject.org/wiki/RPM_file_format_changes_to_support_SHA-256
That page appears to be from 2009 and six years is a really long time, things change a lot.
Is there an up to date reference somewhere on RPM package signing that I haven't stumbled upon yet?
SHA1 is broken. I shouldn't be using it.
CentOS 7 is all I build packages for.
In your .rpmmacros file .. try setting:
_binary_filedigest_algorithm SHA256
or from the command line:
rpm --define '_binary_filedigest_algorithm SHA256' <current_line>
=====
if some some reason it does not like the SAH256 value .. try 8 instead. So:
rpm --define '_binary_filedigest_algorithm 8'
or in .rpmmacros:
_binary_filedigest_algorithm 8
There is another one as well:
--define "_source_filedigest_algorithm 8"
--define "_binary_filedigest_algorithm 8"
Defining it in the .rpmmacros would be best .. I think otherwise you would need to define it in youe rpmbild line AND your rpm signature line.
Are you building your rpms in mock or from rpmbuild on the command line?
If I do this on my default c7 install, I get that as the default:
[jhughes@localhost ~]$ rpmbuild --showrc | grep filedigest_algorithm -14: _binary_filedigest_algorithm 8 -14: _source_filedigest_algorithm 8
Not sure how you got it to do it in SHA1 :)
One last thought .. are you using something like:
--force-v3-sigs
in your signing command line?
If you are building in mock .. you would do it like this int he mock config with the other variables:
config_opts['macros']['%_binary_filedigest_algorithm'] = "8" config_opts['macros']['%_source_filedigest_algorithm'] = "8"
But again, building on a c7 machine, it should be the default.
On 01/20/2016 02:58 AM, Johnny Hughes wrote:
On 01/20/2016 04:52 AM, Johnny Hughes wrote:
On 01/20/2016 04:48 AM, Johnny Hughes wrote:
On 01/20/2016 04:39 AM, Johnny Hughes wrote:
On 01/20/2016 01:37 AM, Alice Wonder wrote:
hi,
I noticed that RPM packages I sign use SHA1
Signature : RSA/SHA1, Fri 08 Jan 2016 10:50:58 AM PST, Key ID ad3b591d147abf59
Signatures from CentOS 7 use SHA256
Signature : RSA/SHA256, Wed 06 Jan 2016 08:54:58 AM PST, Key ID 24c6a8a7f4a80eb5
I'm trying to find where / how to use sha256 when I sign packages but I am not having much luck. Closest I have found is this :
https://fedoraproject.org/wiki/RPM_file_format_changes_to_support_SHA-256
That page appears to be from 2009 and six years is a really long time, things change a lot.
Is there an up to date reference somewhere on RPM package signing that I haven't stumbled upon yet?
SHA1 is broken. I shouldn't be using it.
CentOS 7 is all I build packages for.
In your .rpmmacros file .. try setting:
_binary_filedigest_algorithm SHA256
or from the command line:
rpm --define '_binary_filedigest_algorithm SHA256' <current_line>
=====
if some some reason it does not like the SAH256 value .. try 8 instead. So:
rpm --define '_binary_filedigest_algorithm 8'
or in .rpmmacros:
_binary_filedigest_algorithm 8
There is another one as well:
--define "_source_filedigest_algorithm 8"
--define "_binary_filedigest_algorithm 8"
Defining it in the .rpmmacros would be best .. I think otherwise you would need to define it in youe rpmbild line AND your rpm signature line.
Are you building your rpms in mock or from rpmbuild on the command line?
If I do this on my default c7 install, I get that as the default:
[jhughes@localhost ~]$ rpmbuild --showrc | grep filedigest_algorithm -14: _binary_filedigest_algorithm 8 -14: _source_filedigest_algorithm 8
Not sure how you got it to do it in SHA1 :)
One last thought .. are you using something like:
--force-v3-sigs
in your signing command line?
If you are building in mock .. you would do it like this int he mock config with the other variables:
config_opts['macros']['%_binary_filedigest_algorithm'] = "8" config_opts['macros']['%_source_filedigest_algorithm'] = "8"
But again, building on a c7 machine, it should be the default.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
I'm building in mock
Thank you for the suggestions.
On 01/20/2016 02:58 AM, Johnny Hughes wrote:
On 01/20/2016 04:52 AM, Johnny Hughes wrote:
On 01/20/2016 04:48 AM, Johnny Hughes wrote:
On 01/20/2016 04:39 AM, Johnny Hughes wrote:
On 01/20/2016 01:37 AM, Alice Wonder wrote:
hi,
I noticed that RPM packages I sign use SHA1
Signature : RSA/SHA1, Fri 08 Jan 2016 10:50:58 AM PST, Key ID ad3b591d147abf59
Signatures from CentOS 7 use SHA256
Signature : RSA/SHA256, Wed 06 Jan 2016 08:54:58 AM PST, Key ID 24c6a8a7f4a80eb5
I'm trying to find where / how to use sha256 when I sign packages but I am not having much luck. Closest I have found is this :
https://fedoraproject.org/wiki/RPM_file_format_changes_to_support_SHA-256
That page appears to be from 2009 and six years is a really long time, things change a lot.
Is there an up to date reference somewhere on RPM package signing that I haven't stumbled upon yet?
SHA1 is broken. I shouldn't be using it.
CentOS 7 is all I build packages for.
In your .rpmmacros file .. try setting:
_binary_filedigest_algorithm SHA256
or from the command line:
rpm --define '_binary_filedigest_algorithm SHA256' <current_line>
=====
if some some reason it does not like the SAH256 value .. try 8 instead. So:
rpm --define '_binary_filedigest_algorithm 8'
or in .rpmmacros:
_binary_filedigest_algorithm 8
There is another one as well:
--define "_source_filedigest_algorithm 8"
--define "_binary_filedigest_algorithm 8"
Defining it in the .rpmmacros would be best .. I think otherwise you would need to define it in youe rpmbild line AND your rpm signature line.
Are you building your rpms in mock or from rpmbuild on the command line?
If I do this on my default c7 install, I get that as the default:
[jhughes@localhost ~]$ rpmbuild --showrc | grep filedigest_algorithm -14: _binary_filedigest_algorithm 8 -14: _source_filedigest_algorithm 8
Not sure how you got it to do it in SHA1 :)
One last thought .. are you using something like:
--force-v3-sigs
in your signing command line?
If you are building in mock .. you would do it like this int he mock config with the other variables:
config_opts['macros']['%_binary_filedigest_algorithm'] = "8" config_opts['macros']['%_source_filedigest_algorithm'] = "8"
But again, building on a c7 machine, it should be the default.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
I'm still not getting it to work - I am trying outside of mock.
%_signature gpg %_binary_filedigest_algorithm 8 %_gpg_name Alice Wonder Miscreations
represents my current .rpmmacros
Before just _signature_gpg and _gpg_name were defined
rpm --showrc |grep filedigest -14: _binary_filedigest_algorithm 8 -14: _source_filedigest_algorithm 8
(it has that value whether or not I define the _binary_filedigest_algorithm in my .rpmmacros)
I wonder if I might be missing something?
The --verbose switch to rpm when I use --addsign doesn't give any additional output.
On 01/20/2016 03:32 PM, Alice Wonder wrote:
On 01/20/2016 02:58 AM, Johnny Hughes wrote:
On 01/20/2016 04:52 AM, Johnny Hughes wrote:
On 01/20/2016 04:48 AM, Johnny Hughes wrote:
On 01/20/2016 04:39 AM, Johnny Hughes wrote:
On 01/20/2016 01:37 AM, Alice Wonder wrote:
hi,
I noticed that RPM packages I sign use SHA1
Signature : RSA/SHA1, Fri 08 Jan 2016 10:50:58 AM PST, Key ID ad3b591d147abf59
Signatures from CentOS 7 use SHA256
Signature : RSA/SHA256, Wed 06 Jan 2016 08:54:58 AM PST, Key ID 24c6a8a7f4a80eb5
I'm trying to find where / how to use sha256 when I sign packages but I am not having much luck. Closest I have found is this :
https://fedoraproject.org/wiki/RPM_file_format_changes_to_support_SHA-256
That page appears to be from 2009 and six years is a really long time, things change a lot.
Is there an up to date reference somewhere on RPM package signing that I haven't stumbled upon yet?
SHA1 is broken. I shouldn't be using it.
CentOS 7 is all I build packages for.
In your .rpmmacros file .. try setting:
_binary_filedigest_algorithm SHA256
or from the command line:
rpm --define '_binary_filedigest_algorithm SHA256' <current_line>
=====
if some some reason it does not like the SAH256 value .. try 8 instead. So:
rpm --define '_binary_filedigest_algorithm 8'
or in .rpmmacros:
_binary_filedigest_algorithm 8
There is another one as well:
--define "_source_filedigest_algorithm 8"
--define "_binary_filedigest_algorithm 8"
Defining it in the .rpmmacros would be best .. I think otherwise you would need to define it in youe rpmbild line AND your rpm signature line.
Are you building your rpms in mock or from rpmbuild on the command line?
If I do this on my default c7 install, I get that as the default:
[jhughes@localhost ~]$ rpmbuild --showrc | grep filedigest_algorithm -14: _binary_filedigest_algorithm 8 -14: _source_filedigest_algorithm 8
Not sure how you got it to do it in SHA1 :)
One last thought .. are you using something like:
--force-v3-sigs
in your signing command line?
If you are building in mock .. you would do it like this int he mock config with the other variables:
config_opts['macros']['%_binary_filedigest_algorithm'] = "8" config_opts['macros']['%_source_filedigest_algorithm'] = "8"
But again, building on a c7 machine, it should be the default.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
I'm still not getting it to work - I am trying outside of mock.
%_signature gpg %_binary_filedigest_algorithm 8 %_gpg_name Alice Wonder Miscreations
represents my current .rpmmacros
Before just _signature_gpg and _gpg_name were defined
rpm --showrc |grep filedigest -14: _binary_filedigest_algorithm 8 -14: _source_filedigest_algorithm 8
(it has that value whether or not I define the _binary_filedigest_algorithm in my .rpmmacros)
I wonder if I might be missing something?
The --verbose switch to rpm when I use --addsign doesn't give any additional output. _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
This is interesting -
ls -al .gnupg/ total 40 drwxrwxr-x. 2 alice alice 4096 Jan 20 11:05 . drwx------. 91 alice alice 12288 Jan 20 15:28 .. -rw------- 1 alice alice 3501 Jan 20 11:05 pubring.gpg -rw------- 1 alice alice 3501 Jan 20 11:05 pubring.gpg~ -rw-------. 1 alice alice 600 Jan 20 11:05 random_seed -rw------- 1 alice alice 7537 Jan 20 11:05 secring.gpg -rw-------. 1 alice alice 1360 Jan 20 11:05 trustdb.gpg
There is no gpg.conf in there, or in my home directory, it seems I only have a gpg.conf in old home directories from previous versions (I always start fresh but restore old /home as /home-old)
I don't see a gpg.conf in /etc/skel either and yum provides doesn't indicate any package provides /etc/skel/gpg.conf or /etc/skel/.gnupg/gpg.conf
I am wondering if my issue is related to my gpg configuration but I don't even know where the hell the user specific configuration is kept now.
/etc/gnupg for system-wide configuration exists but is empty.
No idea if the gpg configuration could be the issue, and the gpg2 man page doesn't seem to indicate where the configuration file is kept now. It does reference a gpg.conf-2 but that file doesn't exist either.
What's kind of sad, every single RPM signing howto I can find does not address the SHA1/SHA256 issue and when they do show the signature, it's always SHA1. Of course it is mostly very old.
Is there modern documentation to RPM anywhere?
On 01/20/2016 01:37 AM, Alice Wonder wrote: > I'm trying to find where / how to use sha256 when I sign packages > but I > am not having much luck. Closest I have found is this : > > https://fedoraproject.org/wiki/RPM_file_format_changes_to_support_SHA-256 >
This thread has been a whole bunch of confusion. What you're trying to do requires that you add one line to your .rpmmacros file:
%_gpg_digest_algo sha256
The _binary_filedigest_algorithm and _source_filedigest_algorithm don't affect the signature, they affect the file digest. That is, they set the checksum by which files will be verified by rpm -V. You can see the digest of each file using "rpm -qp --dump".
I'm still not getting it to work - I am trying outside of mock.
As far as I know, mock doesn't sign packages, so you don't need to change your mock configuration at all.
Before just _signature_gpg and _gpg_name were defined
Because I'm curious, I checked.... Only _gpg_name and _gpg_digest_algo need to be set. "%_signature gpg" is either the default, or it's unused. I'm not sure which.
I am wondering if my issue is related to my gpg configuration but I don't even know where the hell the user specific configuration is kept now.
I think it's normally created when you create your keys, but it doesn't seem to be needed.
No idea if the gpg configuration could be the issue, and the gpg2 man page doesn't seem to indicate where the configuration file is kept now.
Yes, it does. The file is gpg.conf in --homedir (which defaults to ~/.gnupg).
-
Alice Wonder -
Gordon Messmer -
Johnny Hughes