search

sublimehq / sublime_merge

Issue tracker for Sublime Merge
https://www.sublimemerge.com
276 stars 14 forks source link

rpm package crypto shoud be updated to sha256 #1672

Open NTMan opened 1 year ago

NTMan commented 1 year ago

Version info

Description

rpm package crypto shoud be updated to sha256 More details here: https://bugzilla.redhat.com/show_bug.cgi?id=2149762

Steps to reproduce

# dnf upgrade
Last metadata expiration check: 0:40:54 ago on Wed 07 Dec 2022 05:42:53 PM +05.
Dependencies resolved.
================================================================================
 Package               Architecture   Version        Repository            Size
================================================================================
Upgrading:
 sublime-merge         x86_64         2080-1         sublime-text         6.3 M

Transaction Summary
================================================================================
Upgrade  1 Package

Total size: 6.3 M
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] sublime-merge-2080-1.x86_64.rpm: Already downloaded                  
Problem opening package sublime-merge-2080-1.x86_64.rpm
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED
pmatilai commented 1 year ago

To clarify, the actual issue here is the key, not the signature in the rpm package. The binding signature of the key is SHA1 based, which is just insecure in this time and age:

$ sq packet dump /tmp/sublimehq-rpm-pub.gpg Public-Key Packet, old CTB, 525 bytes Version: 4 Creation time: 2017-05-08 17:54:56 UTC Pk algo: RSA Pk size: 4096 bits Fingerprint: 1B64279675A4299DCFC70858CA464A9A222D23D0 KeyID: CA464A9A222D23D0

User ID Packet, old CTB, 44 bytes Value: Sublime HQ Pty Ltd [support@sublimetext.com](mailto:support@sublimetext.com)

Signature Packet, old CTB, 564 bytes Version: 4 Type: PositiveCertification Pk algo: RSA Hash algo: SHA1 Hashed area: Signature creation time: 2017-05-08 17:54:56 UTC Key flags: CSEtErA Symmetric algo preferences: AES256, AES128 Hash preferences: SHA512, SHA384, SHA256 Compression preferences: Zlib, BZip2, Zip, Uncompressed Features: MDC Keyserver preferences: no modify Unhashed area: Issuer: CA464A9A222D23D0 Digest prefix: B42C Level: 0 (signature over data)