Change the signature to be based on SHA256 instead of SHA1

[bonivi]

Signed RPMs report as having bad signatures on RHEL 9 and can't be installed:
Looks like SHA1 is depreciated in RHEL 9 ( https://access.redhat.com/articles/6846411 ). Can you change the signature to be based on SHA256 instead of SHA1 ?

# rpm -i package-1-1.x86_64.rpm 
warning: Signature not supported. Hash algorithm SHA1 not available.
error: package-1-1.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID daa37c10: BAD
error: package-1-1.x86_64.rpm cannot be installed

rpm -v --checksig package-1-1.x86_64.rpm 
package-1-1.x86_64.rpm:
warning: Signature not supported. Hash algorithm SHA1 not available.
warning: Signature not supported. Hash algorithm SHA1 not available.
    Header V4 RSA/SHA1 Signature, key ID daa37c10: BAD
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 ALT digest: OK
    Payload SHA256 digest: OK
    V4 RSA/SHA1 Signature, key ID daa37c10: BAD
    MD5 digest: OK

`

[bonivi]

Any plans to add SHA256 signatures ?

[DanielThomas]

This was added in Redline upstream and the latest releases of the plugin use this version:

craigwblake/redline@45494bc

[aldendaley]

This was added in Redline upstream and the latest releases of the plugin use this version:

craigwblake/redline@45494bc

It it possible this only improved on the file digests, not the RPM's GPG signature? I'm experiencing the same problem as OP, and can't see a path forward. Testing with ospackage 8.6.3 and 11.6.0, which I believe both use redline 1.2.10 (the latest).

Someone else is reporting similar directly using the redline library : craigwblake/redline#155
Seems possible the issue lies with redline, not ospackage though. They also have pending PR, since 2022. craigwblake/redline#164

I initially found my GPG configuration used SHA1 to hash it's own content, but I just experimented with a new GPG key after re-configuring for SHA512 and still find the RPM is produced with RSA/SHA1 signature.