[CentOS] signing RPM packages with SHA256

Wed Jan 20 16:35:08 UTC 2016
Alice Wonder <alice at domblogger.net>

On 01/20/2016 02:58 AM, Johnny Hughes wrote:
> On 01/20/2016 04:52 AM, Johnny Hughes wrote:
>> On 01/20/2016 04:48 AM, Johnny Hughes wrote:
>>> On 01/20/2016 04:39 AM, Johnny Hughes wrote:
>>>> On 01/20/2016 01:37 AM, Alice Wonder wrote:
>>>>> hi,
>>>>>
>>>>> I noticed that RPM packages I sign use SHA1
>>>>>
>>>>> Signature   : RSA/SHA1, Fri 08 Jan 2016 10:50:58 AM PST, Key ID
>>>>> ad3b591d147abf59
>>>>>
>>>>> Signatures from CentOS 7 use SHA256
>>>>>
>>>>> Signature   : RSA/SHA256, Wed 06 Jan 2016 08:54:58 AM PST, Key ID
>>>>> 24c6a8a7f4a80eb5
>>>>>
>>>>> I'm trying to find where / how to use sha256 when I sign packages but I
>>>>> am not having much luck. Closest I have found is this :
>>>>>
>>>>> https://fedoraproject.org/wiki/RPM_file_format_changes_to_support_SHA-256
>>>>>
>>>>> That page appears to be from 2009 and six years is a really long time,
>>>>> things change a lot.
>>>>>
>>>>> Is there an up to date reference somewhere on RPM package signing that I
>>>>> haven't stumbled upon yet?
>>>>>
>>>>> SHA1 is broken. I shouldn't be using it.
>>>>>
>>>>> CentOS 7 is all I build packages for.
>>>>>
>>>>
>>>> In your .rpmmacros file .. try setting:
>>>>
>>>> _binary_filedigest_algorithm SHA256
>>>>
>>>> or from the command line:
>>>>
>>>> rpm --define '_binary_filedigest_algorithm SHA256' <current_line>
>>>>
>>>> =====
>>>>
>>>> if some some reason it does not like the SAH256 value .. try 8 instead.  So:
>>>>
>>>> rpm --define '_binary_filedigest_algorithm 8'
>>>>
>>>> or in .rpmmacros:
>>>>
>>>> _binary_filedigest_algorithm 8
>>>>
>>>
>>> There is another one as well:
>>>
>>> --define "_source_filedigest_algorithm 8"
>>>
>>> --define "_binary_filedigest_algorithm 8"
>>>
>>>
>>> Defining it in the .rpmmacros would be best .. I think otherwise you
>>> would need to define it in youe rpmbild line AND your rpm signature line.
>>>
>>> Are you building your rpms in mock or from rpmbuild on the command line?
>>>
>>> If I do this on my default c7 install, I get that as the default:
>>>
>>> [jhughes at localhost ~]$ rpmbuild --showrc | grep filedigest_algorithm
>>> -14: _binary_filedigest_algorithm	8
>>> -14: _source_filedigest_algorithm	8
>>>
>>> Not sure how you got it to do it in SHA1 :)
>>
>> One last thought .. are you using something like:
>>
>> --force-v3-sigs
>>
>> in your signing command line?
>
> If you are building in mock .. you would do it like this int he mock
> config with the other variables:
>
> config_opts['macros']['%_binary_filedigest_algorithm'] = "8"
> config_opts['macros']['%_source_filedigest_algorithm'] = "8"
>
> But again, building on a c7 machine, it should be the default.
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

I'm building in mock

Thank you for the suggestions.