Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 496790

Summary: Use SHA2 instead of SHA1 for signing of portage snapshots
Product: Gentoo Infrastructure Reporter: Thomas Bettler <thomas.bettler>
Component: OtherAssignee: Gentoo Infrastructure <infra-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: alexander, tdalman
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://www.apache.org/dev/openpgp.html#sha1
Whiteboard:
Package list:
Runtime testing required: ---

Description Thomas Bettler 2014-01-02 16:54:30 UTC 
Actual result:
The portage snapshots are pgp signed with 4096 bit key 0xDB6B8C1F96D8BF6D providing the resulting SHA1 signature.

$gpg -v --homedir /etc/portage/gpg/ --verify portage-20140101.tar.xz.gpgsig portage-20140101.tar.xz
Version: GnuPG v2.0.22 (GNU/Linux)
gpg: armor header: 
gpg: Signature made Thu 02 Jan 2014 01:55:03 AM CET using RSA key ID C9189250
gpg: using subkey C9189250 instead of primary key 96D8BF6D
gpg: using PGP trust model
gpg: Good signature from "Gentoo Portage Snapshot Signing Key (Automated Signing Key)"
gpg: binary signature, digest algorithm SHA1

Expected result:
use of SHA2 signature to harden portage distribution via emerge-webrsync