Open NTMan opened 1 year ago
To clarify, the actual issue here is the key, not the signature in the rpm package. The binding signature of the key is SHA1 based, which is just insecure in this time and age:
$ sq packet dump /tmp/sublimehq-rpm-pub.gpg Public-Key Packet, old CTB, 525 bytes Version: 4 Creation time: 2017-05-08 17:54:56 UTC Pk algo: RSA Pk size: 4096 bits Fingerprint: 1B64279675A4299DCFC70858CA464A9A222D23D0 KeyID: CA464A9A222D23D0
User ID Packet, old CTB, 44 bytes Value: Sublime HQ Pty Ltd [support@sublimetext.com](mailto:support@sublimetext.com)
Signature Packet, old CTB, 564 bytes Version: 4 Type: PositiveCertification Pk algo: RSA Hash algo: SHA1 Hashed area: Signature creation time: 2017-05-08 17:54:56 UTC Key flags: CSEtErA Symmetric algo preferences: AES256, AES128 Hash preferences: SHA512, SHA384, SHA256 Compression preferences: Zlib, BZip2, Zip, Uncompressed Features: MDC Keyserver preferences: no modify Unhashed area: Issuer: CA464A9A222D23D0 Digest prefix: B42C Level: 0 (signature over data)
Version info
Description
rpm package crypto shoud be updated to sha256 More details here: https://bugzilla.redhat.com/show_bug.cgi?id=2149762
Steps to reproduce