openstack/fuel-mirror
Code Issues Proposed changes

[publisher] Use sha512 digests

Browse Source 
Switch using sha512 digest instead of sha1 according to
   https://wiki.debian.org/Teams/Apt/Sha1Removal

Change-Id: Ibd155798698905b6115a2e3cd0694dd13ffa72f1
This commit is contained in:
Dmitry Burmistrov 2017-03-03 12:48:10 +04:00
parent 6e55657e4d
commit 6899ba3c59
2 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
perestroika/publisher.v5/publish-deb-binaries.sh
View File

@ -95,7 +95,7 @@ main() {
rm -f ${release_file}.gpg
# ReSign Release file
[ -n "${SIGN_STRING}" ] \
&& gpg --sign --local-user ${SIGKEYID} -ba \
&& gpg --sign --digest-algo SHA512 --local-user ${SIGKEYID} -ba \
-o ${release_file}.gpg ${release_file}
done
job_lock ${CONFIGDIR}.lock unset
@ -188,8 +188,8 @@ main() {
retry -c4 -s1 _sigul "$KEY_PASSPHRASE" -u "$SIGUL_USER" sign-data --armor -o "${_release_file}.gpg" "$SIGKEYID" "$_release_file"
retry -c4 -s1 _sigul "$KEY_PASSPHRASE" -u "$SIGUL_USER" sign-text -o "$_inrelease_file" "$SIGKEYID" "$_release_file"
else
gpg --sign --local-user "$SIGKEYID" -ba -o "${_release_file}.gpg" "$_release_file"
gpg --sign --local-user "$SIGKEYID" --clearsign -o "$_inrelease_file" "$_release_file"
gpg --sign --digest-algo SHA512 --local-user "$SIGKEYID" -ba -o "${_release_file}.gpg" "$_release_file"
gpg --sign --digest-algo SHA512 --local-user "$SIGKEYID" --clearsign -o "$_inrelease_file" "$_release_file"
fi
fi
done
@ -215,8 +215,8 @@ main() {
retry -c4 -s1 _sigul "$KEY_PASSPHRASE" -u "$SIGUL_USER" sign-text -o "$inrelease_file" "$SIGKEYID" "$release_file"
retry -c4 -s1 _sigul "$KEY_PASSPHRASE" -u "$SIGUL_ADMIN" get-public-key "${SIGKEYID}" > "${pub_key_file}.tmp"
else
gpg --sign --local-user "$SIGKEYID" -ba -o "${release_file}.gpg" "$release_file"
gpg --sign --local-user "$SIGKEYID" --clearsign -o "$inrelease_file" "$release_file"
gpg --sign --digest-algo SHA512 --local-user "$SIGKEYID" -ba -o "${release_file}.gpg" "$release_file"
gpg --sign --digest-algo SHA512 --local-user "$SIGKEYID" --clearsign -o "$inrelease_file" "$release_file"
gpg -o "${pub_key_file}.tmp" --armor --export "$SIGKEYID"
fi
if diff -q ${pub_key_file} ${pub_key_file}.tmp &>/dev/null ; then

4
perestroika/publisher.v5/publish-rpm-binaries.sh
View File

@ -243,8 +243,8 @@ EOL
retry -c4 -s1 _sigul "$KEY_PASSPHRASE" -u "$SIGUL_USER" sign-data --armor -o "${LOCAL_REPO_PATH}/${TYPE}/repodata/repomd.asc" "${SIGKEYID}" "${LOCAL_REPO_PATH}/${TYPE}/repodata/repomd.xml"
done
else
gpg --armor --local-user ${SIGKEYID} --detach-sign ${LOCAL_REPO_PATH}/x86_64/repodata/repomd.xml
gpg --armor --local-user ${SIGKEYID} --detach-sign ${LOCAL_REPO_PATH}/Source/repodata/repomd.xml
gpg --armor --digest-algo SHA512 --local-user ${SIGKEYID} --detach-sign ${LOCAL_REPO_PATH}/x86_64/repodata/repomd.xml
gpg --armor --digest-algo SHA512 --local-user ${SIGKEYID} --detach-sign ${LOCAL_REPO_PATH}/Source/repodata/repomd.xml
fi
[ -f "RPM-GPG-KEY" ] && cp RPM-GPG-KEY ${LOCAL_REPO_PATH}/RPM-GPG-KEY-${PROJECT_NAME}${PROJECT_VERSION}
fi