Ability to add signature with SHA256 - Githubissues

craigwblake / redline

Pure Java Rpm Library

http://redline-rpm.org

MIT License

128 stars 97 forks source link

Ability to add signature with SHA256 #155

Closed mkbaldwin closed 3 years ago

mkbaldwin commented 3 years ago

Is it possible to add a signature based on SHA256 rather than SHA1? RHEL 7 now includes these signatures by default when signing with the command line utility. Plus, these are stronger hashes required by some security policies. Is this a feature than can be added?

BClark09 commented 2 years ago

Hi, it looks like signatures are still using SHA1. Generated RPM packages report as having bad signatures on CentOS9:

[...]
warning: Signature not supported. Hash algorithm SHA1 not available.
    Header V4 RSA/SHA1 Signature, key ID 82573a7c: BAD
    Header SHA256 digest: OK
    Header SHA1 digest: OK
[...]

These are fixed in ChannelWrapper.java but changing to SHA256 (or other from HashAlgorithmTags seems to fix the issue.

https://github.com/craigwblake/redline/blob/15afff553f65e3c9d0e9d904fd1e8ce46c4d1515/src/main/java/org/redline_rpm/ChannelWrapper.java#L20

https://github.com/craigwblake/redline/blob/15afff553f65e3c9d0e9d904fd1e8ce46c4d1515/src/main/java/org/redline_rpm/ChannelWrapper.java#L126