From 4278783a9e5b49f434816365e43f026b47b2d116 Mon Sep 17 00:00:00 2001 From: Mark Gurevich Date: Fri, 14 Oct 2022 14:31:19 -0400 Subject: [PATCH] Sign RH9 dependency RPMs with SHA256 --- builddep.sh | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/builddep.sh b/builddep.sh index acb4a8fc2..c01ab89d0 100755 --- a/builddep.sh +++ b/builddep.sh @@ -239,9 +239,23 @@ if ! $GREP -q '%_gpg_name' $MACROS 2>/dev/null; then echo '%_gpg_name xCAT Automatic Signing Key' >> $MACROS fi -# Sign the rpms that are not already signed. The "standard input reopened" warnings are normal. -echo "===> Signing RPMs..." -$XCATCOREDIR/build-utils/rpmsign.exp `find . -type f -name '*.rpm'` | grep -v -E '(already contains identical signature|was already signed|rpm --quiet --resign|WARNING: standard input reopened)' +# Sign the rpms that are not already signed. The "standard input reopened" warnings are normal. +# First sign all non RH9 RPMS with DEFAULT algorithm, if running this script on RH7 or RH8, +# most likely it will be SHA1 +echo "===> Signing RPMs with DEFAULT algorithm..." +$XCATCOREDIR/build-utils/rpmsign.exp `find . -type f -name '*.rpm' ! -path './rh9/*'` | grep -v -E '(already contains identical signature|was already signed|rpm --quiet --resign|WARNING: standard input reopened)' + +# Update $MACROS file so that RPMS will be signed with SHA256 algorithm +if ! $GREP -q '%_gpg_sign_cmd' $MACROS 2>/dev/null; then + echo '%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}' >> $MACROS +fi + +# Second sign all RH9 RPMS with SHA256 algorithm +echo "===> Signing RH9 RPMs with SHA265 algorithm..." +$XCATCOREDIR/build-utils/rpmsign.exp `find rh9 -type f -name '*.rpm'` | grep -v -E '(already contains identical signature|was already signed|rpm --quiet --resign|WARNING: standard input reopened)' + +# Remove SHA256 algorithm statement from $MACROS file, back to DEFAULT +sed -i '/__gpg_sign_cmd/d' $MACROS # Create the repodata dirs echo "===> Creating repodata directories..."