Mailinglist Archive: opensuse-buildservice (99 mails)

< Previous Next >
[opensuse-buildservice] OBS does NOT support sha256 hashes on the default GPG key
We finally updated our private OBS installation to 2.8 (on Leap 42.2)
and our default GPG key to an 4096 RSA key.

Debian Release files were still using sha1 hashes (after rebuilding the
packages) :(

After digging around in the code we found the reason for it:

-
https://github.com/openSUSE/open-build-service/blob/master/src/backend/bs_signer#L386

-
https://github.com/openSUSE/open-build-service/blob/master/src/backend/bs_publish#L1813

Only for project specific GPG keys the type of the key is checked and if
it is an RSA key, "-h sha256" is passed to sign. For the default key it
is never passed and therefore sha1 is still used as hashing algorithm,
even if the key is RSA.

We added now a temporary else clause unconditionally adding "-h sha256",
for the default GPG key.

Either a config in BSConfig.php or a check of the default key in a
central place would of cause make more sense.

How to proceed from here?

Ralf

--
Ralf Becker
EGroupware GmbH [www.egroupware.org]
Handelsregister HRB Kaiserslautern 3587
Geschäftsführer Birgit und Ralf Becker
Leibnizstr. 17, 67663 Kaiserslautern, Germany
Telefon +49 631 31657-0


< Previous Next >