search

k3s-io / k3s-selinux

SELinux policy for k3s
Apache License 2.0
66 stars 20 forks source link

Use SHA256 to sign packages instead of default SHA1 #32

Closed brandond closed 2 years ago

brandond commented 2 years ago

Related to:

vwbusguy commented 2 years ago

I tested this out by building and running the centos8 container here and then installed the rpm with dnf in a centos:stream9 container and didn't get any complaints about the signature.

image

For good measure, I also installed it in a centos:stream8 container for good measure and also didn't have any problem: image

I could be wrong, but I don't believe you need to force v3 signatures on EL8/9 as they both ship with yum4 out of box (yum 4 is a symlink to dnf 3) and the old DSA keys aren't supported anyway as of EL8. That said, I believe this PR is likely to work as-is.

# ls -l `which yum`
lrwxrwxrwx. 1 root root 5 Mar 24 09:08 /usr/bin/yum -> dnf-3
brandond commented 2 years ago

I could be wrong, but I don't believe you need to force v3 signatures on EL8/9 as they both ship with yum4 out of box

The problem is not the yum version that it ships with, the problem is that the rpm macros on EL8 still don't use the correct signing algs by default. So you have to override the macros to get the signatures that the same distro wants to use when installing packages.