On 01/20/2016 04:52 AM, Johnny Hughes wrote: > On 01/20/2016 04:48 AM, Johnny Hughes wrote: >> On 01/20/2016 04:39 AM, Johnny Hughes wrote: >>> On 01/20/2016 01:37 AM, Alice Wonder wrote: >>>> hi, >>>> >>>> I noticed that RPM packages I sign use SHA1 >>>> >>>> Signature : RSA/SHA1, Fri 08 Jan 2016 10:50:58 AM PST, Key ID >>>> ad3b591d147abf59 >>>> >>>> Signatures from CentOS 7 use SHA256 >>>> >>>> Signature : RSA/SHA256, Wed 06 Jan 2016 08:54:58 AM PST, Key ID >>>> 24c6a8a7f4a80eb5 >>>> >>>> I'm trying to find where / how to use sha256 when I sign packages but I >>>> am not having much luck. Closest I have found is this : >>>> >>>> https://fedoraproject.org/wiki/RPM_file_format_changes_to_support_SHA-256 >>>> >>>> That page appears to be from 2009 and six years is a really long time, >>>> things change a lot. >>>> >>>> Is there an up to date reference somewhere on RPM package signing that I >>>> haven't stumbled upon yet? >>>> >>>> SHA1 is broken. I shouldn't be using it. >>>> >>>> CentOS 7 is all I build packages for. >>>> >>> >>> In your .rpmmacros file .. try setting: >>> >>> _binary_filedigest_algorithm SHA256 >>> >>> or from the command line: >>> >>> rpm --define '_binary_filedigest_algorithm SHA256' <current_line> >>> >>> ===== >>> >>> if some some reason it does not like the SAH256 value .. try 8 instead. So: >>> >>> rpm --define '_binary_filedigest_algorithm 8' >>> >>> or in .rpmmacros: >>> >>> _binary_filedigest_algorithm 8 >>> >> >> There is another one as well: >> >> --define "_source_filedigest_algorithm 8" >> >> --define "_binary_filedigest_algorithm 8" >> >> >> Defining it in the .rpmmacros would be best .. I think otherwise you >> would need to define it in youe rpmbild line AND your rpm signature line. >> >> Are you building your rpms in mock or from rpmbuild on the command line? >> >> If I do this on my default c7 install, I get that as the default: >> >> [jhughes at localhost ~]$ rpmbuild --showrc | grep filedigest_algorithm >> -14: _binary_filedigest_algorithm 8 >> -14: _source_filedigest_algorithm 8 >> >> Not sure how you got it to do it in SHA1 :) > > One last thought .. are you using something like: > > --force-v3-sigs > > in your signing command line? If you are building in mock .. you would do it like this int he mock config with the other variables: config_opts['macros']['%_binary_filedigest_algorithm'] = "8" config_opts['macros']['%_source_filedigest_algorithm'] = "8" But again, building on a c7 machine, it should be the default. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20160120/7a5595da/attachment-0005.sig>