Installers signed and hashed with algo like >=SHA256

[otto-jonyer]

Is your feature request related to a problem?

Our customer requires us to have all RPM installers signed and hashed with strong hasing algo like SHA256. Otherwise we are not compliant.

Describe a solution you would like

Installers signed and hashed with SHA256 or stronger.

Describe alternatives you have considered

N/A

Additional context

US Department of Defense and many other customers are security aware and want to protect their deployments.

[alvdavi]

Hi,

All our rpms are signed with our GPG key. We are signing with a 4096 RSA key using SHA256 signatures

$ rpm -qpi java-1.8.0-amazon-corretto-devel-1.8.0_312.b07-1.x86_64.rpm  | grep Signature
Signature   : RSA/SHA256, Thu Oct 14 21:16:31 2021, Key ID a122542ab04f24e3

You can quickly check that a122542ab04f24e3 matches our KeyID (as long as you ignore the casing):

$ curl -s https://yum.corretto.aws/corretto.key | gpg --keyid-format 0xlong
pub  4096R/0xA122542AB04F24E3 2019-12-05 Amazon Services LLC (Amazon Corretto release) <corretto-team@amazon.com>

[benty-amzn]

See also corretto-17 #29

[otto-jonyer]

I am sorry that the problem description was not accurate:
File digest algorithm is the critical. (rpm -qp --qf "%{FILEDIGESTALGO}")

Our customer requires to have the file digest SHA256 instead of MD5. Otherwise we are not compliant.

We use the following setting in .rpmmacros file:
%_binary_filedigest_algorithm 8

Bus as I see nebula ospackage plugin does not support this option yet.

[lutkerd]

Hi,
It looks like the underlying tool that the ospackage plugin uses, red-line, is now FIPS compliant and uses SHA256, see craigwblake/redline@9c85270

We will have to update our build to use a newer version of the plugin, at least v8.6.1. https://github.com/nebula-plugins/gradle-ospackage-plugin/releases/tag/v8.6.1

[benty-amzn]

This is fixed in #345 and RPMs should use SHA256 for digest after the Q1 2022 release.