Stronger Hashes

Thorsten Leemhuis fedora at leemhuis.info
Wed Mar 25 18:54:19 CET 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 15.03.2009 16:40, Thorsten Leemhuis wrote:
| On 13.03.2009 17:13, Nicolas Chauvet wrote:
|> According to the 23/02/2009 commit's of redhat-rpm-config, theses
|> macros are added.
|> [...]
|> So I don't think we need to tweak anything from our
|> configuration. Furthermore packages built since this new
|> redhat-rpm-config already use strongerhash.
| Maybe not for the Feature "StrongerHash" directly, but for related
| things; quoting a part from
|
https://www.redhat.com/archives/fedora-announce-list/2009-March/msg00004.html
| here:
| """
|> At the same time, Rel-Eng was attempting to get the Fedora 11 Beta
packages
|> signed with a newly generated f11-test key that is much larger in
size (this
|> is related to the Stronger Hashes Feature that is coming with F11).
The use
|> of the larger GPG key requires some different arguments to be passed
to rpm
|> for the signing phase, including using --digest-algo sha256.  The signing
|> script was being reworked to invoke rpm correctly for this Feature,
as well
|> as still work for the current release's GPG keys.
| """

Okay, mschwendt updated the push scripts (many thanks for your support
Michael!) to support different signing commands for different repos. I
created a new key and new release packages and everything afaics works
now as it's supposed to be.

The public key for the new signing key is part of the new release
packages that are available in RPM Fusion {non,}free for Fedora rawhide
since a few days now. Find the fingerprints as clearsigned file attached.

All new packages get signed with the new key. That means: If you don't
update regularly then you might need to update rpmfusion-free-release
and rpmfusion-nonfree-release first, then everything else -- otherwise
yum will complain that is has no key to verify. Also please make sure
that your merge /etc/yum.repos.d/rpmfusion*free*.repo.rpmnew files if
they get created during install of the new release packages, as those
files will contain the path to the new key.

We afaics could start a mass-rebuild now if we want to, but I guess it
might make sense to wait for the ffmpeg update. Dominik?

CU
knurd
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAknKb8sACgkQUjQh93TopkFlfgCdHVj+ycdmrhLowZXUT7EWygXZ
XQgAn31tojVzzNzQdan20fLcCyBkskR7
=1gl3
-----END PGP SIGNATURE-----
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

pub   4096R/8FCFF4DA 2009-03-21
      Key fingerprint = 1880 298A 4E99 0D67 7B37  DCCA AD27 0844 8FCF F4DA
uid                  RPM Fusion free repository for Fedora (11) <rpmfusion-buildsys at lists.rpmfusion.org>

pub   4096R/8DC43844 2009-03-21
      Key fingerprint = C8C3 C7AC 6EA8 BA7E 1E25  8F46 4D2A 1BDC 8DC4 3844
uid                  RPM Fusion nonfree repository for Fedora (11) <rpmfusion-buildsys at lists.rpmfusion.org>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFJymzMhVCZsknIiFoRAssOAKCroPKD17To/ks5MLS/sVjKRJqD6ACgpRtX
spPS+m+hp27uZLJIw6wINNY=
=7An5
-----END PGP SIGNATURE-----

More information about the rpmfusion-developers mailing list