On 01/20/2016 01:37 AM, Alice Wonder wrote: > hi, > > I noticed that RPM packages I sign use SHA1 > > Signature : RSA/SHA1, Fri 08 Jan 2016 10:50:58 AM PST, Key ID > ad3b591d147abf59 > > Signatures from CentOS 7 use SHA256 > > Signature : RSA/SHA256, Wed 06 Jan 2016 08:54:58 AM PST, Key ID > 24c6a8a7f4a80eb5 > > I'm trying to find where / how to use sha256 when I sign packages but I > am not having much luck. Closest I have found is this : > > https://fedoraproject.org/wiki/RPM_file_format_changes_to_support_SHA-256 > > That page appears to be from 2009 and six years is a really long time, > things change a lot. > > Is there an up to date reference somewhere on RPM package signing that I > haven't stumbled upon yet? > > SHA1 is broken. I shouldn't be using it. > > CentOS 7 is all I build packages for. > In your .rpmmacros file .. try setting: _binary_filedigest_algorithm SHA256 or from the command line: rpm --define '_binary_filedigest_algorithm SHA256' <current_line> ===== if some some reason it does not like the SAH256 value .. try 8 instead. So: rpm --define '_binary_filedigest_algorithm 8' or in .rpmmacros: _binary_filedigest_algorithm 8 Thanks, Johnny Hughes -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20160120/6545e622/attachment-0005.sig>