Hi all, hi Michael, On Fri, 2 Sep 2016 14:24:06 +0200 Michael Schroeder <mls@suse.de> wrote:
On Fri, Sep 02, 2016 at 01:53:59PM +0200, Stefan Botter wrote:
Hi Michael,
On Fri, 2 Sep 2016 11:27:08 +0200 Michael Schroeder <mls@suse.de> wrote:
On Thu, Sep 01, 2016 at 05:46:08PM +0200, Stefan Botter wrote:
osc signkey --extend terminates with Server returned an error: HTTP Error 400: Bad Request /usr/bin/sign: 256 a closer look in src_server.log shows an additional line self-sig is not made with sha1 : I guess it will work if you also specify a -h sha256 argument with the extend call, but I'll change the code to take the hash type from the pubkey.
Thank you for your reply, that sounds promising, but I am afraid I am not sure where to put the "-h sha265".
Into the sign call the extendkey sub in bs_srcserver. I.e. change it from
open(F, '-|', $BSConfig::sign, @signargs, '-P', "$projectsdir/$projid.pkg/_signkey", '-x', @keyargs, "$projectsdir/$projid.pkg/_pubkey") || die("$BSConfig::sign: $!\n");
to
open(F, '-|', $BSConfig::sign, @signargs, '-P', "$projectsdir/$projid.pkg/_signkey", '-h', 'sha256', '-x', @keyargs, "$projectsdir/$projid.pkg/_pubkey") || die("$BSConfig::sign: $!\n");
I want to follow this request up with the solution: Michael has kindly extended obs-sign(d) to deal with keys with sha hash algo other than sha256, these are now converted to sha256. I had more or less thoughtless created a gpg.conf in obs' gnupg directory forcing the hash algorithm to sha512, which worked so far, until the key expired. Extending did not work, but with the Michaels' changes this works now. The relevant change is in github and is dated Sep 9th. Thank you again, Michael! Greetings, Stefan -- Stefan Botter zu Hause Bremen