1 |
Hi all, |
2 |
|
3 |
After the SHA1 hashes have been banned from our Manifest files [1], |
4 |
the question arose in #gentoo-portage if the default algorithm used |
5 |
for manifest signing should also be changed to something different |
6 |
from SHA1 (which is still the GnuPG default). According to the table |
7 |
in section 14 of RFC 4880 [2], SHA256 looks like a reasonable choice |
8 |
for key sizes of 2048 to 4096 bits. |
9 |
|
10 |
However, I remember that there used to be some problems with SHA256 |
11 |
and DSA keys. Before we add "--digest-algo SHA256" to the default |
12 |
PORTAGE_GPG_SIGNING_COMMAND in make.globals, I'd like to ask for |
13 |
feedback if it works without problems. So, could some volunteers |
14 |
please add the following line to their make.conf: |
15 |
|
16 |
PORTAGE_GPG_SIGNING_COMMAND="gpg --sign --clearsign --yes --digest-algo SHA256 --default-key \"\${PORTAGE_GPG_KEY}\" --homedir \"\${PORTAGE_GPG_DIR}\" \"\${FILE}\"" |
17 |
|
18 |
and report back if this causes any trouble with manifest signing? |
19 |
|
20 |
Thanks, |
21 |
Ulrich |
22 |
|
23 |
[1] <http://permalink.gmane.org/gmane.linux.gentoo.devel.announce/1679> |
24 |
[2] <http://www.ietf.org/rfc/rfc4880.txt> |