OBS does NOT support sha256 hashes on the default GPG key

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

OBS does NOT support sha256 hashes on the default GPG key

Ralf Becker-2
We finally updated our private OBS installation to 2.8 (on Leap 42.2)
and our default GPG key to an 4096 RSA key.

Debian Release files were still using sha1 hashes (after rebuilding the
packages) :(

After digging around in the code we found the reason for it:

-
https://github.com/openSUSE/open-build-service/blob/master/src/backend/bs_signer#L386

-
https://github.com/openSUSE/open-build-service/blob/master/src/backend/bs_publish#L1813

Only for project specific GPG keys the type of the key is checked and if
it is an RSA key, "-h sha256" is passed to sign. For the default key it
is never passed and therefore sha1 is still used as hashing algorithm,
even if the key is RSA.

We added now a temporary else clause unconditionally adding "-h sha256",
for the default GPG key.

Either a config in BSConfig.php or a check of the default key in a
central place would of cause make more sense.

How to proceed from here?

Ralf

--
Ralf Becker
EGroupware GmbH [www.egroupware.org]
Handelsregister HRB Kaiserslautern 3587
Geschäftsführer Birgit und Ralf Becker
Leibnizstr. 17, 67663 Kaiserslautern, Germany
Telefon +49 631 31657-0



signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: OBS does NOT support sha256 hashes on the default GPG key

Carsten Höger
Hi,

> On 10. Aug 2017, at 9:10 , Ralf Becker <[hidden email]> wrote:
>
> We finally updated our private OBS installation to 2.8 (on Leap 42.2)
> and our default GPG key to an 4096 RSA key.
>
> Debian Release files were still using sha1 hashes (after rebuilding the
> packages) :(

[...]

> Either a config in BSConfig.php or a check of the default key in a
> central place would of cause make more sense.
>
> How to proceed from here?

Just add

hash: sha256

to /etc/sign.conf

--

kind regards,
Carsten Hoeger
Professional Services



Email: [hidden email]


-----------------------------------------------------------------------------------------
Open-Xchange AG, Rollnerstr. 14, 90408 Nuremberg, District Court Nuremberg HRB 24738
Managing Board: Rafael Laguna de la Vera, Carsten Dirks, Michael Knapstein
Chairman of the Board: Richard Seibt

European Office:
Open-Xchange GmbH, Olper Huette 5f, D-57462 Olpe, Germany, District Court Siegen, HRB 8718
Managing Directors: Frank Hoberg, Martin Kauss

US Office:
Open-Xchange. Inc., 530 Lytton Avenue, Palo Alto, CA 94301, USA
------------------------------------------------------------------------------------------


signature.asc (202 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: OBS does NOT support sha256 hashes on the default GPG key

Henne Vogelsang-2
In reply to this post by Ralf Becker-2
Hey Ralf,

On 10.08.2017 09:10, Ralf Becker wrote:

> How to proceed from here?

1. Send a pull-request to the github repository proposing your
    solution[1]
2. Discuss with the developers and get it merged
3. SUCCESS :-)

Henne

[1]
https://github.com/openSUSE/open-build-service/blob/master/CONTRIBUTING.md

--
Henne Vogelsang
http://www.opensuse.org
Everybody has a plan, until they get hit.
        - Mike Tyson
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]