We finally updated our private OBS installation to 2.8 (on Leap 42.2) and our default GPG key to an 4096 RSA key. Debian Release files were still using sha1 hashes (after rebuilding the packages) :( After digging around in the code we found the reason for it: - https://github.com/openSUSE/open-build-service/blob/master/src/backend/bs_si... - https://github.com/openSUSE/open-build-service/blob/master/src/backend/bs_pu... Only for project specific GPG keys the type of the key is checked and if it is an RSA key, "-h sha256" is passed to sign. For the default key it is never passed and therefore sha1 is still used as hashing algorithm, even if the key is RSA. We added now a temporary else clause unconditionally adding "-h sha256", for the default GPG key. Either a config in BSConfig.php or a check of the default key in a central place would of cause make more sense. How to proceed from here? Ralf -- Ralf Becker EGroupware GmbH [www.egroupware.org] Handelsregister HRB Kaiserslautern 3587 Geschäftsführer Birgit und Ralf Becker Leibnizstr. 17, 67663 Kaiserslautern, Germany Telefon +49 631 31657-0