#271 Sign packages on CBS with RSA/SHA256
Closed: Fixed 2 years ago by arrfab. Opened 2 years ago by dcavalca.

Right now packages built on CBS are signed with RSA/SHA1. We'd like to use RSA/SHA256 for packages built in the Hyperscale SIG (though, more generally, I think it'd be good to consider changing the default globally). I understand there's a way to do this by setting the appropriate RPM macros, but I couldn't find a conclusive list. Once that's sorted out (assuming it's the right way to go), we'll need to get our tags updated to include them.

See https://pagure.io/centos-sig-hyperscale/sig/issue/33 for more details.


Metadata Update from @arrfab:
- Issue tagged with: feature-request, need-more-info

2 years ago

Metadata Update from @arrfab:
- Issue tagged with: cbs

2 years ago

A quick look at rpmsign manual page points to %_binary_filedigest_algorithm macro that we can eventually set to SHA256.
We just need to verify that it works fine on el7 rpm version (as signing service is common for all pkgs built on cbs.centos.org), to be able to consume pkgs signed from signing service (itself also running on c7)
Tagging as "RFE/Feature Request"

Metadata Update from @arrfab:
- Issue assigned to arrfab

2 years ago

Now that I had a little bit of time, I had a look and what I read initially wasn't for signing itself.
The change to have both %_gpg_digest_algo set to sha256 and %__gpg_sign_cmd also using it went live (after a validation test for a el7 pkg installed then on el7 box)
Closing now

Metadata Update from @arrfab:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata
Boards 1
CBS Status: Backlog