Open bonivi opened 10 months ago
Any plans to add SHA256 signatures ?
This was added in Redline upstream and the latest releases of the plugin use this version:
https://github.com/craigwblake/redline/commit/45494bc9718ba3385edd0c747d60b1b32da8b766
This was added in Redline upstream and the latest releases of the plugin use this version:
It it possible this only improved on the file digests, not the RPM's GPG signature? I'm experiencing the same problem as OP, and can't see a path forward. Testing with ospackage 8.6.3 and 11.6.0, which I believe both use redline 1.2.10 (the latest).
Someone else is reporting similar directly using the redline library : https://github.com/craigwblake/redline/issues/155 Seems possible the issue lies with redline, not ospackage though. They also have pending PR, since 2022. https://github.com/craigwblake/redline/pull/164
I initially found my GPG configuration used SHA1 to hash it's own content, but I just experimented with a new GPG key after re-configuring for SHA512 and still find the RPM is produced with RSA/SHA1 signature.
Signed RPMs report as having bad signatures on RHEL 9 and can't be installed: Looks like SHA1 is depreciated in RHEL 9 ( https://access.redhat.com/articles/6846411 ). Can you change the signature to be based on SHA256 instead of SHA1 ?
`