Since 8d5c48b, xbps has used a sha1 ASN1 prefix with a sha256 hash, and as of openssl v3, openssl cares about this. This works around that in a compatible way by moving to a second sig file, binpkg.sig2.
For xbps-remove -O and xbps-rindex -r, also clean up obselete .sig files.
Tested
xbps-rindex -S of a package to generate a .sig2
xbps-rindex -r of a package with both .sig and .sig2
xbps-remove -O of a package with both .sig and .sig2 in cache
xbps-install of a package with a .sig2
upgrade of xbps with this patch applied works (requires a couple minor changes to rebase and apply cleanly on 0.59.1)
upgrading openssl to v3 and using xbps with it (see this branch)
This will require
an external signing utility that can sign new versions of xbps with the old signature format to allow for installation of the fixed version (like this)
probably some manual intervention for initially signing all packages with the new .sig2
Questions
should old .sigs be removed from the repos?
are there any infra implications that will need to be updated to deal with the new .sig2 files? downstream mirrors filtering their rsyncs?
Since 8d5c48b, xbps has used a sha1 ASN1 prefix with a sha256 hash, and as of openssl v3, openssl cares about this. This works around that in a compatible way by moving to a second sig file,
binpkg.sig2.For
xbps-remove -Oandxbps-rindex -r, also clean up obselete.sigfiles.Tested
xbps-rindex -Sof a package to generate a.sig2xbps-rindex -rof a package with both.sigand.sig2xbps-remove -Oof a package with both.sigand.sig2in cachexbps-installof a package with a.sig2This will require
xbpswith the old signature format to allow for installation of the fixed version (like this).sig2Questions
.sigs be removed from the repos?.sig2files? downstream mirrors filtering their rsyncs?closes #544 fixes #531 fixes #480