Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

signing RPMs with sha256 headers/payloads built with nfpm is not supported #35

Closed
ll78912 opened this issue Sep 2, 2023 · 1 comment

Comments

@ll78912
Copy link

ll78912 commented Sep 2, 2023

Currently, this module only works for signing RPMs that have md5/sha1 digests. The output below was generated with rpm -Kv to inspect RPMs built with fpm vs nfpm respectively.

    Header SHA1 digest: OK
    MD5 digest: OK

However, RPMs built with nfpm are with sha256 digests:

  Header SHA256 digest: OK
  Payload SHA256 digest: OK

I have uploaded the RPM built with nfpm for your testing purpose: nfpm.zip. You can also rerun the following commands to regenerate the RPM yourself:

nfpm package --config test.yaml --packager rpm 

You can further inspect the test RPM:

% rpm -Kv test-1.0.0.x86_64.rpm      
test-1.0.0.x86_64.rpm:
    Header SHA256 digest: OK
    Payload SHA256 digest: OK

% rpm -qpi  test-1.0.0.x86_64.rpm
Name        : test
Epoch       : 0
Version     : 1.0.0
Release     : 1
Architecture: x86_64
Install Date: (not installed)
Group       : 
Size        : 11
License     : MIT
Signature   : (none)
Source RPM  : test-1.0.0-1.src.rpm
Build Date  : Sat Aug 26 11:48:57 2023
Build Host  : buildkitsandbox
Packager    : test maintainer <test.maintainer@test.com>
Vendor      : 
URL         : https://nfpm.goreleaser.com/
Summary     : Test RPM generated by nFPM
Description :
Test RPM generated by nFPM

please let me know if you need anything additional. Our use case here is to sign nfpm generated RPMs using SignRpmStream method. Currently these methods assumes md5 and sha1 digests by default.

If you try to sign the RPMs built with nfpm, you will get md5 digest mismatch error under current logic. This would be a nice feature as latest enterprise OS (e.g RHEL9) defaults to sha256 checksummed RPMs.

@mtharp
Copy link
Contributor

mtharp commented Feb 7, 2024

FIxed in v7.6.2

@mtharp mtharp closed this as completed Feb 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants