It looks like CBS is signing with RSA/SHA1 by default:
$ rpm -K -v systemd-247.3-4.hs+fb.el8.x86_64.rpm systemd-247.3-4.hs+fb.el8.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID eb3dac40: OK Header SHA256 digest: OK Header SHA1 digest: OK Payload SHA256 digest: OK V4 RSA/SHA1 Signature, key ID eb3dac40: OK MD5 digest: OK
I'd be great to switch this to RSA/SHA256 as sha1 is pretty broken these days. Not sure if this requires CBS work, of if it's just a macro we can set on our tags.
Metadata Update from @dcavalca: - Issue tagged with: meeting
Verified that c8s uses RSA/SHA256 by default already, and that the stock version of RPM (rpm-4.14.3-13) supports it just fine, so this should be a relatively straightforward change.
Filed https://pagure.io/centos-infra/issue/271 for Infra.
This has been resolved and CBS now defaults to RSA/SHA256.
Metadata Update from @dcavalca: - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.