[CentOS] signing RPM packages with SHA256

Thu Jan 21 17:23:16 UTC 2016
Gordon Messmer <gordon.messmer at gmail.com>

>>>>>> On 01/20/2016 01:37 AM, Alice Wonder wrote:
>>>>>>> I'm trying to find where / how to use sha256 when I sign packages
>>>>>>> but I
>>>>>>> am not having much luck. Closest I have found is this :
>>>>>>> https://fedoraproject.org/wiki/RPM_file_format_changes_to_support_SHA-256 

This thread has been a whole bunch of confusion.  What you're trying to 
do requires that you add one line to your .rpmmacros file:

%_gpg_digest_algo sha256

The _binary_filedigest_algorithm and _source_filedigest_algorithm don't 
affect the signature, they affect the file digest.  That is, they set 
the checksum by which files will be verified by rpm -V. You can see the 
digest of each file using "rpm -qp --dump".

>> I'm still not getting it to work - I am trying outside of mock.

As far as I know, mock doesn't sign packages, so you don't need to 
change your mock configuration at all.

>> Before just _signature_gpg and _gpg_name were defined

Because I'm curious, I checked.... Only _gpg_name and _gpg_digest_algo 
need to be set.  "%_signature gpg" is either the default, or it's 
unused.  I'm not sure which.

> I am wondering if my issue is related to my gpg configuration but I 
> don't even know where the hell the user specific configuration is kept 
> now.

I think it's normally created when you create your keys, but it doesn't 
seem to be needed.

> No idea if the gpg configuration could be the issue, and the gpg2 man 
> page doesn't seem to indicate where the configuration file is kept now.

Yes, it does.  The file is gpg.conf in --homedir (which defaults to