On 01/20/2016 02:58 AM, Johnny Hughes wrote: > On 01/20/2016 04:52 AM, Johnny Hughes wrote: >> On 01/20/2016 04:48 AM, Johnny Hughes wrote: >>> On 01/20/2016 04:39 AM, Johnny Hughes wrote: >>>> On 01/20/2016 01:37 AM, Alice Wonder wrote: >>>>> hi, >>>>> >>>>> I noticed that RPM packages I sign use SHA1 >>>>> >>>>> Signature : RSA/SHA1, Fri 08 Jan 2016 10:50:58 AM PST, Key ID >>>>> ad3b591d147abf59 >>>>> >>>>> Signatures from CentOS 7 use SHA256 >>>>> >>>>> Signature : RSA/SHA256, Wed 06 Jan 2016 08:54:58 AM PST, Key ID >>>>> 24c6a8a7f4a80eb5 >>>>> >>>>> I'm trying to find where / how to use sha256 when I sign packages but I >>>>> am not having much luck. Closest I have found is this : >>>>> >>>>> https://fedoraproject.org/wiki/RPM_file_format_changes_to_support_SHA-256 >>>>> >>>>> That page appears to be from 2009 and six years is a really long time, >>>>> things change a lot. >>>>> >>>>> Is there an up to date reference somewhere on RPM package signing that I >>>>> haven't stumbled upon yet? >>>>> >>>>> SHA1 is broken. I shouldn't be using it. >>>>> >>>>> CentOS 7 is all I build packages for. >>>>> >>>> >>>> In your .rpmmacros file .. try setting: >>>> >>>> _binary_filedigest_algorithm SHA256 >>>> >>>> or from the command line: >>>> >>>> rpm --define '_binary_filedigest_algorithm SHA256' <current_line> >>>> >>>> ===== >>>> >>>> if some some reason it does not like the SAH256 value .. try 8 instead. So: >>>> >>>> rpm --define '_binary_filedigest_algorithm 8' >>>> >>>> or in .rpmmacros: >>>> >>>> _binary_filedigest_algorithm 8 >>>> >>> >>> There is another one as well: >>> >>> --define "_source_filedigest_algorithm 8" >>> >>> --define "_binary_filedigest_algorithm 8" >>> >>> >>> Defining it in the .rpmmacros would be best .. I think otherwise you >>> would need to define it in youe rpmbild line AND your rpm signature line. >>> >>> Are you building your rpms in mock or from rpmbuild on the command line? >>> >>> If I do this on my default c7 install, I get that as the default: >>> >>> [jhughes at localhost ~]$ rpmbuild --showrc | grep filedigest_algorithm >>> -14: _binary_filedigest_algorithm 8 >>> -14: _source_filedigest_algorithm 8 >>> >>> Not sure how you got it to do it in SHA1 :) >> >> One last thought .. are you using something like: >> >> --force-v3-sigs >> >> in your signing command line? > > If you are building in mock .. you would do it like this int he mock > config with the other variables: > > config_opts['macros']['%_binary_filedigest_algorithm'] = "8" > config_opts['macros']['%_source_filedigest_algorithm'] = "8" > > But again, building on a c7 machine, it should be the default. > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > I'm building in mock Thank you for the suggestions.