Right now packages built on CBS are signed with RSA/SHA1. We'd like to use RSA/SHA256 for packages built in the Hyperscale SIG (though, more generally, I think it'd be good to consider changing the default globally). I understand there's a way to do this by setting the appropriate RPM macros, but I couldn't find a conclusive list. Once that's sorted out (assuming it's the right way to go), we'll need to get our tags updated to include them.
See https://pagure.io/centos-sig-hyperscale/sig/issue/33 for more details.
Metadata Update from @arrfab: - Issue tagged with: feature-request, need-more-info
Metadata Update from @arrfab: - Issue tagged with: cbs
A quick look at rpmsign manual page points to %_binary_filedigest_algorithm macro that we can eventually set to SHA256. We just need to verify that it works fine on el7 rpm version (as signing service is common for all pkgs built on cbs.centos.org), to be able to consume pkgs signed from signing service (itself also running on c7) Tagging as "RFE/Feature Request"
%_binary_filedigest_algorithm
Metadata Update from @arrfab: - Issue assigned to arrfab
Now that I had a little bit of time, I had a look and what I read initially wasn't for signing itself. The change to have both %_gpg_digest_algo set to sha256 and %__gpg_sign_cmd also using it went live (after a validation test for a el7 pkg installed then on el7 box) Closing now
%_gpg_digest_algo
sha256
%__gpg_sign_cmd
Metadata Update from @arrfab: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.