Closed BClark09 closed 1 year ago
Tests with a key on CentOS Stream 9 fail:
openhab-3.3.0-1.noarch.rpm:
warning: Signature not supported. Hash algorithm SHA1 not available.
warning: Signature not supported. Hash algorithm SHA1 not available.
Header V4 RSA/SHA1 Signature, key ID 82573a7c: BAD
Header SHA256 digest: OK
Header SHA1 digest: OK
Payload SHA256 ALT digest: OK
Payload SHA256 digest: OK
V4 RSA/SHA1 Signature, key ID 82573a7c: BAD
MD5 digest: OK
But resigning with RPMs own tools (rpm --resign
) using the same key is valid:
openhab-3.3.0-1.noarch.rpm:
Header V4 RSA/SHA512 Signature, key ID 82573a7c: OK
Header SHA256 digest: OK
Header SHA1 digest: OK
Payload SHA256 ALT digest: OK
Payload SHA256 digest: OK
MD5 digest: OK
Found the issue in the upstream library: These are fixed in ChannelWrapper.java but changing to SHA256 (or other from HashAlgorithmTags seems to fix the issue.
I've made the above change in the forked version of the redline library. Success:
build/distributions/openhab-3.3.0-1.noarch.rpm:
Header V4 RSA/SHA256 Signature, key ID 8f7a0cf1: OK
Header SHA256 digest: OK
Header SHA1 digest: OK
Payload SHA256 ALT digest: OK
Payload SHA256 digest: OK
V4 RSA/SHA256 Signature, key ID 8f7a0cf1: OK
MD5 digest: OK
I've suggested this as in the relevant upstream library issue - a better change would be to allow the user to choose which signing algorithm to use, specifying SHA256 rather than SHA1 in the custom branch will do for now.
Updated forks of upstream libraries to sign with SHA256 instead of SHA1.
Plugins/Libraries updated:
Closes #213
Signed-off-by: Ben Clark ben@benjyc.uk