signing RPMs with sha256 headers/payloads built with nfpm is not supported

[ll78912]

Currently, this module only works for signing RPMs that have md5/sha1 digests. The output below was generated with rpm -Kv to inspect RPMs built with fpm vs nfpm respectively.

    Header SHA1 digest: OK
    MD5 digest: OK

However, RPMs built with nfpm are with sha256 digests:

  Header SHA256 digest: OK
  Payload SHA256 digest: OK

I have uploaded the RPM built with nfpm for your testing purpose: nfpm.zip. You can also rerun the following commands to regenerate the RPM yourself:

nfpm package --config test.yaml --packager rpm 

You can further inspect the test RPM:

% rpm -Kv test-1.0.0.x86_64.rpm      
test-1.0.0.x86_64.rpm:
    Header SHA256 digest: OK
    Payload SHA256 digest: OK

% rpm -qpi  test-1.0.0.x86_64.rpm
Name        : test
Epoch       : 0
Version     : 1.0.0
Release     : 1
Architecture: x86_64
Install Date: (not installed)
Group       : 
Size        : 11
License     : MIT
Signature   : (none)
Source RPM  : test-1.0.0-1.src.rpm
Build Date  : Sat Aug 26 11:48:57 2023
Build Host  : buildkitsandbox
Packager    : test maintainer <test.maintainer@test.com>
Vendor      : 
URL         : https://nfpm.goreleaser.com/
Summary     : Test RPM generated by nFPM
Description :
Test RPM generated by nFPM

please let me know if you need anything additional. Our use case here is to sign nfpm generated RPMs using SignRpmStream method. Currently these methods assumes md5 and sha1 digests by default.

If you try to sign the RPMs built with nfpm, you will get md5 digest mismatch error under current logic. This would be a nice feature as latest enterprise OS (e.g RHEL9) defaults to sha256 checksummed RPMs.

[mtharp]

FIxed in v7.6.2