From a3cadca8e54082609cef754fdd8d2e438037fcf1 Mon Sep 17 00:00:00 2001 From: Derek McGowan Date: Fri, 4 Nov 2016 09:45:13 -0700 Subject: [PATCH] Use sha512 when gpg signing builds Signed-off-by: Derek McGowan (github: dmcgowan) --- hack/make/release-deb | 2 +- hack/make/release-rpm | 2 +- hack/make/sign-repos | 3 +++ 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/hack/make/release-deb b/hack/make/release-deb index 7e781d4bc3..d8806f40c5 100755 --- a/hack/make/release-deb +++ b/hack/make/release-deb @@ -114,7 +114,7 @@ for dir in bundles/$VERSION/build-deb/*/; do # if we have a $GPG_PASSPHRASE we may as well # dpkg-sign before copying the deb into the pool if [ ! -z "$GPG_PASSPHRASE" ]; then - dpkg-sig -g "--no-tty --passphrase '$GPG_PASSPHRASE'" \ + dpkg-sig -g "--no-tty --digest-algo 'sha512' --passphrase '$GPG_PASSPHRASE'" \ -k "$GPG_KEYID" --sign builder "$tempdir/$d" fi mv "$tempdir/$d" "$APTDIR/pool/$component/d/docker-engine/" diff --git a/hack/make/release-rpm b/hack/make/release-rpm index 5c109d0745..e1d41e4ce1 100755 --- a/hack/make/release-rpm +++ b/hack/make/release-rpm @@ -59,7 +59,7 @@ for dir in bundles/$VERSION/build-rpm/*/; do --define "_gpg_name $GPG_KEYID" \ --define "_signature gpg" \ --define "__gpg_check_password_cmd /bin/true" \ - --define "__gpg_sign_cmd %{__gpg} gpg --batch --no-armor --passphrase '$GPG_PASSPHRASE' --no-secmem-warning -u '%{_gpg_name}' --sign --detach-sign --output %{__signature_filename} %{__plaintext_filename}" \ + --define "__gpg_sign_cmd %{__gpg} gpg --batch --no-armor --digest-algo 'sha512' --passphrase '$GPG_PASSPHRASE' --no-secmem-warning -u '%{_gpg_name}' --sign --detach-sign --output %{__signature_filename} %{__plaintext_filename}" \ --resign "${RPMFILE[@]}" fi diff --git a/hack/make/sign-repos b/hack/make/sign-repos index e0cebc6ab2..6ed1606885 100755 --- a/hack/make/sign-repos +++ b/hack/make/sign-repos @@ -28,6 +28,7 @@ sign_packages(){ for F in $(find $APTDIR -name Release); do if test "$F" -nt "$F.gpg" ; then gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \ + --digest-algo "sha512" \ --armor --sign --detach-sign \ --batch --yes \ --output "$F.gpg" "$F" @@ -35,6 +36,7 @@ sign_packages(){ inRelease="$(dirname "$F")/InRelease" if test "$F" -nt "$inRelease" ; then gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \ + --digest-algo "sha512" \ --clearsign \ --batch --yes \ --output "$inRelease" "$F" @@ -51,6 +53,7 @@ sign_packages(){ for F in $(find $YUMDIR -name repomd.xml); do if test "$F" -nt "$F.asc" ; then gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \ + --digest-algo "sha512" \ --armor --sign --detach-sign \ --batch --yes \ --output "$F.asc" "$F"