search

ceph / merfi

Finds and signs files with different signing tools (gpg, rpm-sign)
MIT License
3 stars 3 forks source link

RFE: always use SHA256 digests in Release file signatures #73

Open ktdreyer opened 5 years ago

ktdreyer commented 5 years ago

Apt on Ubuntu Xenial (and newer) will warn if the Apt repo GPG signatures are SHA1 instead of SHA256.

Background links:

By default, gnupg2 has a sha1 digest algorithm.

As a workaround, a long time ago I added "digest-algo sha256" to the gpg.conf file on the local signer system, like so:

# See http://askubuntu.com/questions/819641/reprepro-signature-by-key-uses-weak-digest-algorithm-sha1
# and https://juliank.wordpress.com/2016/03/14/dropping-sha-1-support-in-apt/
digest-algo sha256

It would be more robust if merfi ran gpg2 with the --digest-algo SHA256 argument every time, so we did not depend on the state of the local .gpg.conf file.

ktdreyer commented 5 years ago

This might be resolved in the very latest GnuPG 2. It seems like Fedora 29 signs with SHA256 by default.