496790 – Use SHA2 instead of SHA1 for signing of portage snapshots

Bug 496790 - Use SHA2 instead of SHA1 for signing of portage snapshots

Summary: Use SHA2 instead of SHA1 for signing of portage snapshots

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Infrastructure
Classification:	Unclassified
Component:	Other (show other bugs)
Hardware:	All All

Importance:	Normal normal with 1 vote (vote)
Assignee:	Gentoo Infrastructure

URL:	http://www.apache.org/dev/openpgp.htm...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-01-02 16:54 UTC by Thomas Bettler
Modified:	2018-02-11 17:52 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Bettler 2014-01-02 16:54:30 UTC

Actual result:
The portage snapshots are pgp signed with 4096 bit key 0xDB6B8C1F96D8BF6D providing the resulting SHA1 signature.

$gpg -v --homedir /etc/portage/gpg/ --verify portage-20140101.tar.xz.gpgsig portage-20140101.tar.xz
Version: GnuPG v2.0.22 (GNU/Linux)
gpg: armor header: 
gpg: Signature made Thu 02 Jan 2014 01:55:03 AM CET using RSA key ID C9189250
gpg: using subkey C9189250 instead of primary key 96D8BF6D
gpg: using PGP trust model
gpg: Good signature from "Gentoo Portage Snapshot Signing Key (Automated Signing Key)"
gpg: binary signature, digest algorithm SHA1

Expected result:
use of SHA2 signature to harden portage distribution via emerge-webrsync