On 01/20/2016 04:48 AM, Johnny Hughes wrote: > On 01/20/2016 04:39 AM, Johnny Hughes wrote: >> On 01/20/2016 01:37 AM, Alice Wonder wrote: >>> hi, >>> >>> I noticed that RPM packages I sign use SHA1 >>> >>> Signature : RSA/SHA1, Fri 08 Jan 2016 10:50:58 AM PST, Key ID >>> ad3b591d147abf59 >>> >>> Signatures from CentOS 7 use SHA256 >>> >>> Signature : RSA/SHA256, Wed 06 Jan 2016 08:54:58 AM PST, Key ID >>> 24c6a8a7f4a80eb5 >>> >>> I'm trying to find where / how to use sha256 when I sign packages but I >>> am not having much luck. Closest I have found is this : >>> >>> https://fedoraproject.org/wiki/RPM_file_format_changes_to_support_SHA-256 >>> >>> That page appears to be from 2009 and six years is a really long time, >>> things change a lot. >>> >>> Is there an up to date reference somewhere on RPM package signing that I >>> haven't stumbled upon yet? >>> >>> SHA1 is broken. I shouldn't be using it. >>> >>> CentOS 7 is all I build packages for. >>> >> >> In your .rpmmacros file .. try setting: >> >> _binary_filedigest_algorithm SHA256 >> >> or from the command line: >> >> rpm --define '_binary_filedigest_algorithm SHA256' <current_line> >> >> ===== >> >> if some some reason it does not like the SAH256 value .. try 8 instead. So: >> >> rpm --define '_binary_filedigest_algorithm 8' >> >> or in .rpmmacros: >> >> _binary_filedigest_algorithm 8 >> > > There is another one as well: > > --define "_source_filedigest_algorithm 8" > > --define "_binary_filedigest_algorithm 8" > > > Defining it in the .rpmmacros would be best .. I think otherwise you > would need to define it in youe rpmbild line AND your rpm signature line. > > Are you building your rpms in mock or from rpmbuild on the command line? > > If I do this on my default c7 install, I get that as the default: > > [jhughes at localhost ~]$ rpmbuild --showrc | grep filedigest_algorithm > -14: _binary_filedigest_algorithm 8 > -14: _source_filedigest_algorithm 8 > > Not sure how you got it to do it in SHA1 :) One last thought .. are you using something like: --force-v3-sigs in your signing command line? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20160120/fb7db0b1/attachment-0005.sig>