[CentOS] signing RPM packages with SHA256
Gordon Messmer
gordon.messmer at gmail.com
Thu Jan 21 17:23:16 UTC 2016
>>>>>> On 01/20/2016 01:37 AM, Alice Wonder wrote:
>>>>>>> I'm trying to find where / how to use sha256 when I sign packages
>>>>>>> but I
>>>>>>> am not having much luck. Closest I have found is this :
>>>>>>>
>>>>>>> https://fedoraproject.org/wiki/RPM_file_format_changes_to_support_SHA-256
>>>>>>>
This thread has been a whole bunch of confusion. What you're trying to
do requires that you add one line to your .rpmmacros file:
%_gpg_digest_algo sha256
The _binary_filedigest_algorithm and _source_filedigest_algorithm don't
affect the signature, they affect the file digest. That is, they set
the checksum by which files will be verified by rpm -V. You can see the
digest of each file using "rpm -qp --dump".
>> I'm still not getting it to work - I am trying outside of mock.
As far as I know, mock doesn't sign packages, so you don't need to
change your mock configuration at all.
>> Before just _signature_gpg and _gpg_name were defined
Because I'm curious, I checked.... Only _gpg_name and _gpg_digest_algo
need to be set. "%_signature gpg" is either the default, or it's
unused. I'm not sure which.
> I am wondering if my issue is related to my gpg configuration but I
> don't even know where the hell the user specific configuration is kept
> now.
I think it's normally created when you create your keys, but it doesn't
seem to be needed.
> No idea if the gpg configuration could be the issue, and the gpg2 man
> page doesn't seem to indicate where the configuration file is kept now.
Yes, it does. The file is gpg.conf in --homedir (which defaults to
~/.gnupg).
More information about the CentOS
mailing list