Re: Stronger Hashes

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 15.03.2009 16:40, Thorsten Leemhuis wrote: | On 13.03.2009 17:13, Nicolas Chauvet wrote: |> According to the 23/02/2009 commit's of redhat-rpm-config, theses |> macros are added. |> [...] |> So I don't think we need to tweak anything from our |> configuration. Furthermore packages built since this new |> redhat-rpm-config already use strongerhash. | Maybe not for the Feature "StrongerHash" directly, but for related | things; quoting a part from | https://www.redhat.com/archives/fedora-announce-list/2009-March/msg00004.... | here: | """ |> At the same time, Rel-Eng was attempting to get the Fedora 11 Beta packages |> signed with a newly generated f11-test key that is much larger in size (this |> is related to the Stronger Hashes Feature that is coming with F11). The use |> of the larger GPG key requires some different arguments to be passed to rpm |> for the signing phase, including using --digest-algo sha256. The signing |> script was being reworked to invoke rpm correctly for this Feature, as well |> as still work for the current release's GPG keys. | """ Okay, mschwendt updated the push scripts (many thanks for your support Michael!) to support different signing commands for different repos. I created a new key and new release packages and everything afaics works now as it's supposed to be. The public key for the new signing key is part of the new release packages that are available in RPM Fusion {non,}free for Fedora rawhide since a few days now. Find the fingerprints as clearsigned file attached. All new packages get signed with the new key. That means: If you don't update regularly then you might need to update rpmfusion-free-release and rpmfusion-nonfree-release first, then everything else -- otherwise yum will complain that is has no key to verify. Also please make sure that your merge /etc/yum.repos.d/rpmfusion*free*.repo.rpmnew files if they get created during install of the new release packages, as those files will contain the path to the new key. We afaics could start a mass-rebuild now if we want to, but I guess it might make sense to wait for the ffmpeg update. Dominik?