[CentOS] signing RPM packages with SHA256
Johnny Hughes
johnny at centos.org
Wed Jan 20 10:39:07 UTC 2016
On 01/20/2016 01:37 AM, Alice Wonder wrote:
> hi,
>
> I noticed that RPM packages I sign use SHA1
>
> Signature : RSA/SHA1, Fri 08 Jan 2016 10:50:58 AM PST, Key ID
> ad3b591d147abf59
>
> Signatures from CentOS 7 use SHA256
>
> Signature : RSA/SHA256, Wed 06 Jan 2016 08:54:58 AM PST, Key ID
> 24c6a8a7f4a80eb5
>
> I'm trying to find where / how to use sha256 when I sign packages but I
> am not having much luck. Closest I have found is this :
>
> https://fedoraproject.org/wiki/RPM_file_format_changes_to_support_SHA-256
>
> That page appears to be from 2009 and six years is a really long time,
> things change a lot.
>
> Is there an up to date reference somewhere on RPM package signing that I
> haven't stumbled upon yet?
>
> SHA1 is broken. I shouldn't be using it.
>
> CentOS 7 is all I build packages for.
>
In your .rpmmacros file .. try setting:
_binary_filedigest_algorithm SHA256
or from the command line:
rpm --define '_binary_filedigest_algorithm SHA256' <current_line>
=====
if some some reason it does not like the SAH256 value .. try 8 instead. So:
rpm --define '_binary_filedigest_algorithm 8'
or in .rpmmacros:
_binary_filedigest_algorithm 8
Thanks,
Johnny Hughes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20160120/6545e622/attachment.sig>
More information about the CentOS
mailing list