From 2473d5963b8034d705cf79b942063f0d820a51ae Mon Sep 17 00:00:00 2001
From: Dmitry Burmistrov <dburmistrov@mirantis.com>
Date: Fri, 3 Mar 2017 12:48:10 +0400
Subject: [PATCH] [publisher] Use sha512 digests

   Switch using sha512 digest instead of sha1 according to
   https://wiki.debian.org/Teams/Apt/Sha1Removal

Change-Id: Ibd155798698905b6115a2e3cd0694dd13ffa72f1
---
 perestroika/publisher.v5/publish-deb-binaries.sh | 10 +++++-----
 perestroika/publisher.v5/publish-rpm-binaries.sh |  4 ++--
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/perestroika/publisher.v5/publish-deb-binaries.sh b/perestroika/publisher.v5/publish-deb-binaries.sh
index ca2cce9..93f5408 100755
--- a/perestroika/publisher.v5/publish-deb-binaries.sh
+++ b/perestroika/publisher.v5/publish-deb-binaries.sh
@@ -95,7 +95,7 @@ main() {
           rm -f ${release_file}.gpg
           # ReSign Release file
           [ -n "${SIGN_STRING}" ] \
-              && gpg --sign --local-user ${SIGKEYID} -ba \
+              && gpg --sign --digest-algo SHA512 --local-user ${SIGKEYID} -ba \
               -o ${release_file}.gpg ${release_file}
       done
       job_lock ${CONFIGDIR}.lock unset
@@ -188,8 +188,8 @@ main() {
                   retry -c4 -s1 _sigul "$KEY_PASSPHRASE" -u "$SIGUL_USER" sign-data --armor -o "${_release_file}.gpg" "$SIGKEYID" "$_release_file"
                   retry -c4 -s1 _sigul "$KEY_PASSPHRASE" -u "$SIGUL_USER" sign-text -o "$_inrelease_file" "$SIGKEYID" "$_release_file"
               else
-                  gpg --sign --local-user "$SIGKEYID" -ba -o "${_release_file}.gpg" "$_release_file"
-                  gpg --sign --local-user "$SIGKEYID" --clearsign -o "$_inrelease_file" "$_release_file"
+                  gpg --sign --digest-algo SHA512 --local-user "$SIGKEYID" -ba -o "${_release_file}.gpg" "$_release_file"
+                  gpg --sign --digest-algo SHA512 --local-user "$SIGKEYID" --clearsign -o "$_inrelease_file" "$_release_file"
               fi
           fi
       done
@@ -215,8 +215,8 @@ main() {
            retry -c4 -s1 _sigul "$KEY_PASSPHRASE" -u "$SIGUL_USER" sign-text -o "$inrelease_file" "$SIGKEYID" "$release_file"
            retry -c4 -s1 _sigul "$KEY_PASSPHRASE" -u "$SIGUL_ADMIN" get-public-key "${SIGKEYID}" > "${pub_key_file}.tmp"
       else
-          gpg --sign --local-user "$SIGKEYID" -ba -o "${release_file}.gpg" "$release_file"
-          gpg --sign --local-user "$SIGKEYID" --clearsign -o "$inrelease_file" "$release_file"
+          gpg --sign --digest-algo SHA512 --local-user "$SIGKEYID" -ba -o "${release_file}.gpg" "$release_file"
+          gpg --sign --digest-algo SHA512 --local-user "$SIGKEYID" --clearsign -o "$inrelease_file" "$release_file"
           gpg -o "${pub_key_file}.tmp" --armor --export "$SIGKEYID"
       fi
       if diff -q ${pub_key_file} ${pub_key_file}.tmp &>/dev/null ; then
diff --git a/perestroika/publisher.v5/publish-rpm-binaries.sh b/perestroika/publisher.v5/publish-rpm-binaries.sh
index ea1e6ca..20c82e6 100755
--- a/perestroika/publisher.v5/publish-rpm-binaries.sh
+++ b/perestroika/publisher.v5/publish-rpm-binaries.sh
@@ -243,8 +243,8 @@ EOL
               retry -c4 -s1 _sigul "$KEY_PASSPHRASE" -u "$SIGUL_USER" sign-data --armor -o "${LOCAL_REPO_PATH}/${TYPE}/repodata/repomd.asc" "${SIGKEYID}" "${LOCAL_REPO_PATH}/${TYPE}/repodata/repomd.xml"
           done
       else
-          gpg --armor --local-user ${SIGKEYID} --detach-sign ${LOCAL_REPO_PATH}/x86_64/repodata/repomd.xml
-          gpg --armor --local-user ${SIGKEYID} --detach-sign ${LOCAL_REPO_PATH}/Source/repodata/repomd.xml
+          gpg --armor --digest-algo SHA512 --local-user ${SIGKEYID} --detach-sign ${LOCAL_REPO_PATH}/x86_64/repodata/repomd.xml
+          gpg --armor --digest-algo SHA512 --local-user ${SIGKEYID} --detach-sign ${LOCAL_REPO_PATH}/Source/repodata/repomd.xml
       fi
       [ -f "RPM-GPG-KEY" ] && cp RPM-GPG-KEY ${LOCAL_REPO_PATH}/RPM-GPG-KEY-${PROJECT_NAME}${PROJECT_VERSION}
   fi