Learn more about these different git repos.
Other Git URLs
Currently, we sign packages using SHA1 hashalgo (default of sign). SHA1 is old and should be replaced by SHA256. Sign supports it using -h sha256. We should start using it.
-h sha256
Relevant: https://bugzilla.redhat.com/show_bug.cgi?id=2059101 https://github.com/openSUSE/obs-sign/issues/34
It will be great if we can re-sign everything in epel-9-* chroots. We can re-use and modify backend/run/copr_fix_gpg.py
Anything we can help with? oVirt is getting repository closure failure on el9 because openssl dropped sha1 support. getting this in for copr will solve the issue: https://github.com/oVirt/ovirt-release/issues/117
Metadata Update from @praiskup: - Issue priority set to: High - Issue tagged with: bug
@sbonazzo nothing right now. It will take us some time: implement, test, new deployment to prod (eta can be ~3 weeks). We will contact you then and ask you for confirmation that it works for you.
Agreed with the ETA. Note we still build for EPEL6+ in internal copr, so we should check what chroots the SHA256 hash is safe to use with, and apply selectively.
Thanks for the estimation. Implemented workaround for now: https://github.com/oVirt/ovirt-release/pull/119
Metadata Update from @praiskup: - Issue assigned to praiskup
Commit c856f7f fixes this issue
Is this deployed? I just built: https://copr.fedorainfracloud.org/coprs/alexl/cs9-sample-images/build/3708034/ and it seems to have a RSA/SHA1 signature.
It is not yet deployed. If everything goes well, it will be in production next Monday. (currently available on staging, copr.stg.fedoraproject.org)
Metadata Update from @praiskup: - Issue status updated to: Open (was: Closed)
Additional permissions for the CDN requested: https://pagure.io/fedora-infrastructure/issue/10594
Commit ebcee00 fixes this issue
Commit d63a4bb fixes this issue
FTR, this is deployed to production now -- new builds in EL8+ are signed win sha256.
Also, we are currently running a script that will re-sign all EL9 RPMs (epel-9 and centos-stream-9) with sha256, but it will take roughly 48 hours to finish.
Log in to comment on this ticket.