search

sublimehq / sublime_text

Issue tracker for Sublime Text
https://www.sublimetext.com
807 stars 39 forks source link

The binding signature of the key is SHA1 based, which is just insecure in this time and age #5787

Open NTMan opened 1 year ago

NTMan commented 1 year ago

Description of the bug

rpm package crypto shoud be updated to sha256 More details here: https://bugzilla.redhat.com/show_bug.cgi?id=2149762

Steps to reproduce

# dnf upgrade --refresh
local repo                                      3.0 MB/s | 3.0 kB     00:00    
Copr repo for openvpn3 owned by dsommers        4.9 kB/s | 3.3 kB     00:00    
Copr repo for gnome-info-collect owned by vstan 4.9 kB/s | 3.3 kB     00:00    
Fedora rawhide openh264 (From Cisco) - x86_64   2.9 kB/s | 989  B     00:00    
Fedora - Rawhide - Developmental packages for t  19 kB/s |  12 kB     00:00    
Fedora - Rawhide - Debug                         37 kB/s |  12 kB     00:00    
Fedora - Modular Rawhide - Developmental packag  20 kB/s |  16 kB     00:00    
Fedora - Modular Rawhide - Debug                 23 kB/s |  15 kB     00:00    
google-chrome-unstable                          6.9 kB/s | 1.3 kB     00:00    
RPM Fusion for Fedora Rawhide - Free             28 kB/s | 8.0 kB     00:00    
RPM Fusion for Fedora Rawhide - Free - Debug     32 kB/s | 8.1 kB     00:00    
RPM Fusion for Fedora Rawhide - Nonfree          15 kB/s | 8.1 kB     00:00    
RPM Fusion for Fedora Rawhide - Nonfree - Debug  32 kB/s | 8.2 kB     00:00    
Scooter Software                                3.9 kB/s | 2.9 kB     00:00    
Sublime Text - x86_64 - Dev                     4.5 kB/s | 2.9 kB     00:00    
Dependencies resolved.
================================================================================
 Package              Architecture   Version         Repository            Size
================================================================================
Upgrading:
 sublime-text         x86_64         4144-1          sublime-text          19 M

Transaction Summary
================================================================================
Upgrade  1 Package

Total size: 19 M
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] sublime-text-4144-1.x86_64.rpm: Already downloaded                   
Problem opening package sublime-text-4144-1.x86_64.rpm
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

# rpm -Uvh /home/mikhail/Downloads/sublime-text-4145-1.x86_64.rpm
error: /home/mikhail/Downloads/sublime-text-4145-1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 222d23d0: BAD
error: /home/mikhail/Downloads/sublime-text-4145-1.x86_64.rpm cannot be installed

# rpm -Uvh --nosignature /home/mikhail/Downloads/sublime-text-4145-1.x86_64.rpm
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:sublime-text-4145-1              ################################# [ 50%]
Cleaning up / removing...
   2:sublime-text-4141-1              ################################# [100%]

Expected behavior

can't update sublime text

Actual behavior

sublime text should updated without any issues

Sublime Text build number

4146

Operating system & version

Linux Fedora Rawhide

(Linux) Desktop environment and/or window manager

Gnome 43.1

Additional information

No response

OpenGL context information

No response

NTMan commented 1 year ago

The same bug for sublime merge https://github.com/sublimehq/sublime_merge/issues/1672