[CentOS] signing RPM packages with SHA256

Wed Jan 20 10:58:31 UTC 2016
Johnny Hughes <johnny at centos.org>

On 01/20/2016 04:52 AM, Johnny Hughes wrote:
> On 01/20/2016 04:48 AM, Johnny Hughes wrote:
>> On 01/20/2016 04:39 AM, Johnny Hughes wrote:
>>> On 01/20/2016 01:37 AM, Alice Wonder wrote:
>>>> hi,
>>>>
>>>> I noticed that RPM packages I sign use SHA1
>>>>
>>>> Signature   : RSA/SHA1, Fri 08 Jan 2016 10:50:58 AM PST, Key ID
>>>> ad3b591d147abf59
>>>>
>>>> Signatures from CentOS 7 use SHA256
>>>>
>>>> Signature   : RSA/SHA256, Wed 06 Jan 2016 08:54:58 AM PST, Key ID
>>>> 24c6a8a7f4a80eb5
>>>>
>>>> I'm trying to find where / how to use sha256 when I sign packages but I
>>>> am not having much luck. Closest I have found is this :
>>>>
>>>> https://fedoraproject.org/wiki/RPM_file_format_changes_to_support_SHA-256
>>>>
>>>> That page appears to be from 2009 and six years is a really long time,
>>>> things change a lot.
>>>>
>>>> Is there an up to date reference somewhere on RPM package signing that I
>>>> haven't stumbled upon yet?
>>>>
>>>> SHA1 is broken. I shouldn't be using it.
>>>>
>>>> CentOS 7 is all I build packages for.
>>>>
>>>
>>> In your .rpmmacros file .. try setting:
>>>
>>> _binary_filedigest_algorithm SHA256
>>>
>>> or from the command line:
>>>
>>> rpm --define '_binary_filedigest_algorithm SHA256' <current_line>
>>>
>>> =====
>>>
>>> if some some reason it does not like the SAH256 value .. try 8 instead.  So:
>>>
>>> rpm --define '_binary_filedigest_algorithm 8'
>>>
>>> or in .rpmmacros:
>>>
>>> _binary_filedigest_algorithm 8
>>>
>>
>> There is another one as well:
>>
>> --define "_source_filedigest_algorithm 8"
>>
>> --define "_binary_filedigest_algorithm 8"
>>
>>
>> Defining it in the .rpmmacros would be best .. I think otherwise you
>> would need to define it in youe rpmbild line AND your rpm signature line.
>>
>> Are you building your rpms in mock or from rpmbuild on the command line?
>>
>> If I do this on my default c7 install, I get that as the default:
>>
>> [jhughes at localhost ~]$ rpmbuild --showrc | grep filedigest_algorithm
>> -14: _binary_filedigest_algorithm	8
>> -14: _source_filedigest_algorithm	8
>>
>> Not sure how you got it to do it in SHA1 :)
> 
> One last thought .. are you using something like:
> 
> --force-v3-sigs
> 
> in your signing command line?

If you are building in mock .. you would do it like this int he mock
config with the other variables:

config_opts['macros']['%_binary_filedigest_algorithm'] = "8"
config_opts['macros']['%_source_filedigest_algorithm'] = "8"

But again, building on a c7 machine, it should be the default.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20160120/7a5595da/attachment-0005.sig>