search

nebula-plugins / gradle-ospackage-plugin

Gradle plugin for constructing linux packages, specifically RPM and DEBs.
Apache License 2.0
371 stars 126 forks source link

Change the signature to be based on SHA256 instead of SHA1 #432

Open bonivi opened 10 months ago

bonivi commented 10 months ago

Signed RPMs report as having bad signatures on RHEL 9 and can't be installed: Looks like SHA1 is depreciated in RHEL 9 ( https://access.redhat.com/articles/6846411 ). Can you change the signature to be based on SHA256 instead of SHA1 ?

# rpm -i package-1-1.x86_64.rpm 
warning: Signature not supported. Hash algorithm SHA1 not available.
error: package-1-1.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID daa37c10: BAD
error: package-1-1.x86_64.rpm cannot be installed
rpm -v --checksig package-1-1.x86_64.rpm 
package-1-1.x86_64.rpm:
warning: Signature not supported. Hash algorithm SHA1 not available.
warning: Signature not supported. Hash algorithm SHA1 not available.
    Header V4 RSA/SHA1 Signature, key ID daa37c10: BAD
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 ALT digest: OK
    Payload SHA256 digest: OK
    V4 RSA/SHA1 Signature, key ID daa37c10: BAD
    MD5 digest: OK

`

bonivi commented 8 months ago

Any plans to add SHA256 signatures ?

DanielThomas commented 8 months ago

This was added in Redline upstream and the latest releases of the plugin use this version:

https://github.com/craigwblake/redline/commit/45494bc9718ba3385edd0c747d60b1b32da8b766

aldendaley commented 3 weeks ago

This was added in Redline upstream and the latest releases of the plugin use this version:

craigwblake/redline@45494bc

It it possible this only improved on the file digests, not the RPM's GPG signature? I'm experiencing the same problem as OP, and can't see a path forward. Testing with ospackage 8.6.3 and 11.6.0, which I believe both use redline 1.2.10 (the latest).

Someone else is reporting similar directly using the redline library : https://github.com/craigwblake/redline/issues/155 Seems possible the issue lies with redline, not ospackage though. They also have pending PR, since 2022. https://github.com/craigwblake/redline/pull/164

I initially found my GPG configuration used SHA1 to hash it's own content, but I just experimented with a new GPG key after re-configuring for SHA512 and still find the RPM is produced with RSA/SHA1 signature.