After the SHA1 hashes have been banned from our Manifest files [1],
the question arose in #gentoo-portage if the default algorithm used
for manifest signing should also be changed to something different
from SHA1 (which is still the GnuPG default). According to the table
in section 14 of RFC 4880 [2], SHA256 looks like a reasonable choice
for key sizes of 2048 to 4096 bits.
However, I remember that there used to be some problems with SHA256
and DSA keys. Before we add "--digest-algo SHA256" to the default
PORTAGE_GPG_SIGNING_COMMAND in make.globals, I'd like to ask for
feedback if it works without problems. So, could some volunteers
please add the following line to their make.conf:
On Friday 06 July 2012 11:32:22 Ulrich Mueller wrote:
> However, I remember that there used to be some problems with SHA256
> and DSA keys. Before we add "--digest-algo SHA256" to the default
> PORTAGE_GPG_SIGNING_COMMAND in make.globals, I'd like to ask for
> feedback if it works without problems.
a lot of files in the tree are already signed with SHA256 and SHA512
On Fri, Jul 06, 2012 at 05:32:22PM +0200, Ulrich Mueller wrote:
> Hi all,
>
...
>
> However, I remember that there used to be some problems with SHA256
> and DSA keys. Before we add "--digest-algo SHA256" to the default
> PORTAGE_GPG_SIGNING_COMMAND in make.globals, I'd like to ask for
> feedback if it works without problems. So, could some volunteers
> please add the following line to their make.conf:
>
...
>
Just committed some stuff with the proposed line in my make.conf.
Everything fine here.
Default hash algorithm for Manifest signing
