Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

RUN-1688: Please do not use SHA-1 when signing RPMs #487

Open
atsonkov opened this issue Feb 7, 2023 · 0 comments
Open

RUN-1688: Please do not use SHA-1 when signing RPMs #487

atsonkov opened this issue Feb 7, 2023 · 0 comments

Comments

@atsonkov
Copy link

atsonkov commented Feb 7, 2023

The key itself (found here? https://raw.githubusercontent.com/rundeck/packaging/main/pubring.gpg) seems to be 4096 bit RSA, using SHA-512 digest, but the RPMs signed by it still use SHA-1 for the signature (which I think is default on RHEL 7).

The problem is that SHA-1 is considered weak and is disabled by default in RHEL9.

Example:
# rpm -qi -p rundeck-cli-2.0.4-1.noarch.rpm warning: rundeck-cli-2.0.4-1.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID e5d5a125: NOKEY Name : rundeck-cli Epoch : 0 Version : 2.0.4 Release : 1 ... Signature : RSA/SHA1, Fri 03 Feb 2023 06:13:49 PM MET, Key ID d1d32028e5d5a125 ...

One possible solution would be explicitly requesting stronger digest-algo for the signature (e.g. by adding --digest-algo sha512 to the %__gpg_sign_cmd in .rpmmacros configuration file, but this depends on the release pipeline.
@gschueler gschueler changed the title Please do not use SHA-1 when signing RPMs RUN-1688: Please do not use SHA-1 when signing RPMs Oct 9, 2023
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@atsonkov