#33 Sign packages with RSA/SHA256
Closed 2 years ago by dcavalca. Opened 2 years ago by dcavalca.

It looks like CBS is signing with RSA/SHA1 by default:

$ rpm -K -v systemd-247.3-4.hs+fb.el8.x86_64.rpm
systemd-247.3-4.hs+fb.el8.x86_64.rpm:
    Header V4 RSA/SHA1 Signature, key ID eb3dac40: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V4 RSA/SHA1 Signature, key ID eb3dac40: OK
    MD5 digest: OK

I'd be great to switch this to RSA/SHA256 as sha1 is pretty broken these days. Not sure if this requires CBS work, of if it's just a macro we can set on our tags.


Metadata Update from @dcavalca:
- Issue tagged with: meeting

2 years ago

Verified that c8s uses RSA/SHA256 by default already, and that the stock version of RPM (rpm-4.14.3-13) supports it just fine, so this should be a relatively straightforward change.

This has been resolved and CBS now defaults to RSA/SHA256.

Metadata Update from @dcavalca:
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata