FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Development

 
 
LinkBack Thread Tools
 
Old 07-06-2012, 03:32 PM
Ulrich Mueller
 
Default Default hash algorithm for Manifest signing

Hi all,

After the SHA1 hashes have been banned from our Manifest files [1],
the question arose in #gentoo-portage if the default algorithm used
for manifest signing should also be changed to something different
from SHA1 (which is still the GnuPG default). According to the table
in section 14 of RFC 4880 [2], SHA256 looks like a reasonable choice
for key sizes of 2048 to 4096 bits.

However, I remember that there used to be some problems with SHA256
and DSA keys. Before we add "--digest-algo SHA256" to the default
PORTAGE_GPG_SIGNING_COMMAND in make.globals, I'd like to ask for
feedback if it works without problems. So, could some volunteers
please add the following line to their make.conf:

PORTAGE_GPG_SIGNING_COMMAND="gpg --sign --clearsign --yes --digest-algo SHA256 --default-key "${PORTAGE_GPG_KEY}" --homedir "${PORTAGE_GPG_DIR}" "${FILE}""

and report back if this causes any trouble with manifest signing?

Thanks,
Ulrich

[1] <http://permalink.gmane.org/gmane.linux.gentoo.devel.announce/1679>
[2] <http://www.ietf.org/rfc/rfc4880.txt>
 
Old 07-06-2012, 04:53 PM
Mike Frysinger
 
Default Default hash algorithm for Manifest signing

On Friday 06 July 2012 11:32:22 Ulrich Mueller wrote:
> However, I remember that there used to be some problems with SHA256
> and DSA keys. Before we add "--digest-algo SHA256" to the default
> PORTAGE_GPG_SIGNING_COMMAND in make.globals, I'd like to ask for
> feedback if it works without problems.

a lot of files in the tree are already signed with SHA256 and SHA512

$ find /usr/portage/ -name Manifest -exec head -2 {} + |
grep Hash: | sort | uniq -c
5669 Hash: SHA1
3598 Hash: SHA256
2034 Hash: SHA512
-mike
 
Old 07-07-2012, 12:52 PM
Chema Alonso
 
Default Default hash algorithm for Manifest signing

On Fri, Jul 06, 2012 at 05:32:22PM +0200, Ulrich Mueller wrote:
> Hi all,
>
...
>
> However, I remember that there used to be some problems with SHA256
> and DSA keys. Before we add "--digest-algo SHA256" to the default
> PORTAGE_GPG_SIGNING_COMMAND in make.globals, I'd like to ask for
> feedback if it works without problems. So, could some volunteers
> please add the following line to their make.conf:
>
...
>

Just committed some stuff with the proposed line in my make.conf.
Everything fine here.

Regards.
 

Thread Tools




All times are GMT. The time now is 05:14 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org