#2106 Sign packages using sha256
Closed: Fixed 2 years ago by praiskup. Opened 2 years ago by msuchy.

Currently, we sign packages using SHA1 hashalgo (default of sign). SHA1 is old and should be replaced by SHA256. Sign supports it using -h sha256. We should start using it.

Relevant:
https://bugzilla.redhat.com/show_bug.cgi?id=2059101
https://github.com/openSUSE/obs-sign/issues/34


It will be great if we can re-sign everything in epel-9-* chroots.
We can re-use and modify backend/run/copr_fix_gpg.py

Anything we can help with? oVirt is getting repository closure failure on el9 because openssl dropped sha1 support. getting this in for copr will solve the issue: https://github.com/oVirt/ovirt-release/issues/117

Metadata Update from @praiskup:
- Issue priority set to: High
- Issue tagged with: bug

2 years ago

@sbonazzo nothing right now.
It will take us some time: implement, test, new deployment to prod (eta can be ~3 weeks). We will contact you then and ask you for confirmation that it works for you.

Agreed with the ETA. Note we still build for EPEL6+ in internal copr, so we should
check what chroots the SHA256 hash is safe to use with, and apply selectively.

Thanks for the estimation. Implemented workaround for now: https://github.com/oVirt/ovirt-release/pull/119

Metadata Update from @praiskup:
- Issue assigned to praiskup

2 years ago

Is this deployed?
I just built: https://copr.fedorainfracloud.org/coprs/alexl/cs9-sample-images/build/3708034/ and it seems to have a RSA/SHA1 signature.

It is not yet deployed. If everything goes well, it will be in production next Monday.
(currently available on staging, copr.stg.fedoraproject.org)

Metadata Update from @praiskup:
- Issue status updated to: Open (was: Closed)

2 years ago

FTR, this is deployed to production now -- new builds in EL8+ are signed win sha256.

Also, we are currently running a script that will re-sign all EL9 RPMs (epel-9 and centos-stream-9) with sha256, but it will take roughly 48 hours to finish.

Log in to comment on this ticket.

Metadata
Related Pull Requests
  • #2119 Merged 2 years ago
  • #2111 Merged 2 years ago