Ability to add signature with SHA256 #155

mkbaldwin · 2021-02-18T21:08:54Z

Is it possible to add a signature based on SHA256 rather than SHA1? RHEL 7 now includes these signatures by default when signing with the command line utility. Plus, these are stronger hashes required by some security policies. Is this a feature than can be added?

BClark09 · 2022-07-07T15:47:06Z

Hi, it looks like signatures are still using SHA1. Generated RPM packages report as having bad signatures on CentOS9:

[...]
warning: Signature not supported. Hash algorithm SHA1 not available.
    Header V4 RSA/SHA1 Signature, key ID 82573a7c: BAD
    Header SHA256 digest: OK
    Header SHA1 digest: OK
[...]

These are fixed in ChannelWrapper.java but changing to SHA256 (or other from HashAlgorithmTags seems to fix the issue.

redline/src/main/java/org/redline_rpm/ChannelWrapper.java

Line 20 in 15afff5

import static org.bouncycastle.bcpg.HashAlgorithmTags.SHA1;

redline/src/main/java/org/redline_rpm/ChannelWrapper.java

Line 126 in 15afff5

    
           BcPGPContentSignerBuilder contentSignerBuilder = new BcPGPContentSignerBuilder( algorithm, SHA1 );

breskeby mentioned this issue Jul 21, 2021

Add SHA256 support #157

Merged

craigwblake closed this as completed in #157 Aug 9, 2021

aldendaley mentioned this issue Sep 11, 2024

Change the signature to be based on SHA256 instead of SHA1 nebula-plugins/gradle-ospackage-plugin#432

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Ability to add signature with SHA256 #155

Ability to add signature with SHA256 #155

mkbaldwin commented Feb 18, 2021

BClark09 commented Jul 7, 2022

Ability to add signature with SHA256 #155

Ability to add signature with SHA256 #155

Comments

mkbaldwin commented Feb 18, 2021

BClark09 commented Jul 7, 2022