Update 3rd party libraries with large RSA key and SHA256 modifications

openhab / openhab-linuxpkg

Repo for Linux packages

Eclipse Public License 2.0

18 stars 33 forks source link

Update 3rd party libraries with large RSA key and SHA256 modifications #214

Closed BClark09 closed 1 year ago

BClark09 commented 1 year ago

Updated forks of upstream libraries to sign with SHA256 instead of SHA1.

Plugins/Libraries updated:

gradle (6.1.1 -> 7.4.2)
de.undercouch.download (4.0.4 -> 5.1.0)
ospackage-plugin (8.1.0 -> 9.1.1) (Snapshot generated from fork: add-signature-size up to 19a1fd0)
redline (1.2.9 -> 1.2.10) (Snapshot generated from fork: openhab-lib-sha256-rsa4096 up to 87f842b)

Closes #213

Signed-off-by: Ben Clark ben@benjyc.uk

BClark09 commented 1 year ago

Tests with a key on CentOS Stream 9 fail:

openhab-3.3.0-1.noarch.rpm:
warning: Signature not supported. Hash algorithm SHA1 not available.

warning: Signature not supported. Hash algorithm SHA1 not available.
    Header V4 RSA/SHA1 Signature, key ID 82573a7c: BAD
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 ALT digest: OK
    Payload SHA256 digest: OK
    V4 RSA/SHA1 Signature, key ID 82573a7c: BAD
    MD5 digest: OK

But resigning with RPMs own tools (rpm --resign) using the same key is valid:

openhab-3.3.0-1.noarch.rpm:
    Header V4 RSA/SHA512 Signature, key ID 82573a7c: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 ALT digest: OK
    Payload SHA256 digest: OK
    MD5 digest: OK

BClark09 commented 1 year ago

Found the issue in the upstream library: These are fixed in ChannelWrapper.java but changing to SHA256 (or other from HashAlgorithmTags seems to fix the issue.

https://github.com/craigwblake/redline/blob/15afff553f65e3c9d0e9d904fd1e8ce46c4d1515/src/main/java/org/redline_rpm/ChannelWrapper.java#L20

https://github.com/craigwblake/redline/blob/15afff553f65e3c9d0e9d904fd1e8ce46c4d1515/src/main/java/org/redline_rpm/ChannelWrapper.java#L126

BClark09 commented 1 year ago

I've made the above change in the forked version of the redline library. Success:

build/distributions/openhab-3.3.0-1.noarch.rpm:
    Header V4 RSA/SHA256 Signature, key ID 8f7a0cf1: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 ALT digest: OK
    Payload SHA256 digest: OK
    V4 RSA/SHA256 Signature, key ID 8f7a0cf1: OK
    MD5 digest: OK

I've suggested this as in the relevant upstream library issue - a better change would be to allow the user to choose which signing algorithm to use, specifying SHA256 rather than SHA1 in the custom branch will do for now.