Created
August 15, 2016 14:28
-
-
Save jhunt/363da89f44228984ae2786598772e442 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [builder@b582d798647a tmp]$ curl -LO http://pkg.niftylogic.com/centos/el5/x86_64/bolo-0.2.18-1.nifty1.x86_64.rpm | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 100 76645 100 76645 0 0 657k 0 --:--:-- --:--:-- --:--:-- 712k | |
| [builder@b582d798647a tmp]$ rpm -K bolo-0.2.18-1.nifty1.x86_64.rpm | |
| bolo-0.2.18-1.nifty1.x86_64.rpm: rsa sha1 (md5) pgp md5 OK | |
| [builder@b582d798647a tmp]$ rpm -Kv bolo-0.2.18-1.nifty1.x86_64.rpm | |
| bolo-0.2.18-1.nifty1.x86_64.rpm: | |
| Header V3 RSA/SHA1 Signature, key ID 7b576eff: OK | |
| Header SHA1 digest: OK (2ee537ef7e3b335788c8e26f863211ce92ad8c73) | |
| V3 RSA/SHA1 Signature, key ID 7b576eff: OK | |
| MD5 digest: OK (dda3091d932fe5e3ce83c55116f6098d) |
I do. Both it and SHA1 were broken 11 years ago: https://www.schneier.com/blog/archives/2005/06/more_md5_collis.html https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html
le sigh, centos 5. le sigh.
Thanks
Do you recommend hacking the gpg.conf to get >SHA1, or do you prefer using the --digest-algo in the %__gpg_sign_cmd RPM macro (via ~/.rpmmacros)?
@teancom: ^^
I prefer to modify .rpmmacros purely for personal reasons (I keep that in sync across build envs moreso than my gpg.conf) but whatever fits best for you.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@teancom you refer to line 12 for the MD5 digest / fingerprint?
Using https://hub.docker.com/r/rpmbuild/centos6 for reference