| 1 |
Hi all, |
| 2 |
|
| 3 |
After the SHA1 hashes have been banned from our Manifest files [1], |
| 4 |
the question arose in #gentoo-portage if the default algorithm used |
| 5 |
for manifest signing should also be changed to something different |
| 6 |
from SHA1 (which is still the GnuPG default). According to the table |
| 7 |
in section 14 of RFC 4880 [2], SHA256 looks like a reasonable choice |
| 8 |
for key sizes of 2048 to 4096 bits. |
| 9 |
|
| 10 |
However, I remember that there used to be some problems with SHA256 |
| 11 |
and DSA keys. Before we add "--digest-algo SHA256" to the default |
| 12 |
PORTAGE_GPG_SIGNING_COMMAND in make.globals, I'd like to ask for |
| 13 |
feedback if it works without problems. So, could some volunteers |
| 14 |
please add the following line to their make.conf: |
| 15 |
|
| 16 |
PORTAGE_GPG_SIGNING_COMMAND="gpg --sign --clearsign --yes --digest-algo SHA256 --default-key \"\${PORTAGE_GPG_KEY}\" --homedir \"\${PORTAGE_GPG_DIR}\" \"\${FILE}\"" |
| 17 |
|
| 18 |
and report back if this causes any trouble with manifest signing? |
| 19 |
|
| 20 |
Thanks, |
| 21 |
Ulrich |
| 22 |
|
| 23 |
[1] <http://permalink.gmane.org/gmane.linux.gentoo.devel.announce/1679> |
| 24 |
[2] <http://www.ietf.org/rfc/rfc4880.txt> |
Archives