My gpg.conf contains: personal-digest-preferences SHA512 but when I commit I see signed as SHA256. Recent example http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/x11-terms/rxvt-unicode/Manifest?revision=1.293&view=markup Checking the tree, there are not manifest signed with SHA512 and portage-2.1.11.50 so probably is a common bug, not mine.
It's overridden by the default PORTAGE_GPG_SIGNING_COMMAND from /usr/share/portage/config/make.globals: PORTAGE_GPG_SIGNING_COMMAND="gpg --sign --digest-algo SHA256 --clearsign --yes --default-key \"\${PORTAGE_GPG_KEY}\" --homedir \"\${PORTAGE_GPG_DIR}\" \"\${FILE}\"" It was also discussed in the "Default hash algorithm for Manifest signing" thread here: http://gentoo.2317880.n4.nabble.com/Default-hash-algorithm-for-Manifest-signing-td45398.html
(In reply to comment #1) > It's overridden by the default PORTAGE_GPG_SIGNING_COMMAND from > /usr/share/portage/config/make.globals: > > PORTAGE_GPG_SIGNING_COMMAND="gpg --sign --digest-algo SHA256 --clearsign > --yes > --default-key \"\${PORTAGE_GPG_KEY}\" --homedir \"\${PORTAGE_GPG_DIR}\" > \"\${FILE}\"" > > It was also discussed in the "Default hash algorithm for Manifest signing" > thread here: > > http://gentoo.2317880.n4.nabble.com/Default-hash-algorithm-for-Manifest- > signing-td45398.html Ok, I guess portage should use SHA256 when the user preference is e.g. SHA1, but if I have SHA512 should be respected.
I guess we'll need a way to query that value from gpg, so that we can add the --digest-algo SHA256 arguments conditionally.
(In reply to comment #3) > I guess we'll need a way to query that value from gpg, so that we can add > the --digest-algo SHA256 arguments conditionally. A quick fix should be use: gpg --sign --digest-algo ${ALGO} where the default ALGO is SHA256 except if an someone declares it in the make.conf.
(In reply to comment #4) > A quick fix should be use: > > gpg --sign --digest-algo ${ALGO} > > where the default ALGO is SHA256 except if an someone declares it in the > make.conf. So, you want to add another variabled for the algorithm? You can already override PORTAGE_GPG_SIGNING_COMMAND in make.conf, so we don't necessarily need another variable.
(In reply to comment #5) > So, you want to add another variabled for the algorithm? You can already > override PORTAGE_GPG_SIGNING_COMMAND in make.conf, so we don't necessarily > need another variable. That's theoretically right, so I have 2 choice: 1) Declare entire PORTAGE_GPG_SIGNING_COMMAND in make.conf 2) Declare PORTAGE_GPG_SIGNING_COMMAND="${PORTAGE_GPG_SIGNING_COMMAND} --digest-algo SHA512" With the first I'm unable to track the changes that will be as default, adn the second completely does not sign the manifest. What do you suggest?
I'd like to add a PORTAGE_GPG_DIGEST_ALGO variable.
repoman support has been removed per bug 835013. Please file a new bug (or, I suppose, reopen this one) if you feel this check is still applicable to pkgcheck and doesn't already exist.
