Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor: using golang.org/x/crypto for signing rpms #681

Closed
wants to merge 1 commit into from
Closed

refactor: using golang.org/x/crypto for signing rpms #681

wants to merge 1 commit into from

Conversation

caarlos0
Copy link
Member

see #680

with this, I think we would be able to keep things up to date more easily.

afaik, the problem is that protonmail's crypto packages do not support some old version of the signatures, which centos still uses...

so, we either drop support for centos, or use golang.org/x/crypto for signing rpms.

@pull-request-size pull-request-size bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jun 23, 2023
@caarlos0 caarlos0 added the enhancement New feature or request label Jun 23, 2023
@djgilcrease
Copy link
Contributor

djgilcrease commented Jun 23, 2023
edited
Loading

The problem with golang.org/x/crypto is the openpgp is deprecated and it seems centos back to 7 supports sha256 we may just need to update rpmpack to understand %_gpg_digest_algo sha256

@erikgeiser
Copy link
Member

Given our limited use of PGP, I don't think the deprecation is that much of an issue, as security fixes are still provided. That said, I also don't mind dropping support for the old Centos versions, especially because I think security backports for distros that are that old are a farce anyway. If we can solve it by improving rpmpack, that would also be nice.

@djgilcrease
Copy link
Contributor

Also rpm supports sha512 but we are hardcoding it to sha256

@caarlos0
Copy link
Member Author

caarlos0 commented Jun 23, 2023
edited
Loading

I also don't mind dropping support for the old Centos versions

FWIW: version 9 breaks too...

version 8 is EOL mid next year

https://www.centos.org/download/

Also rpm supports sha512 but we are hardcoding it to sha256

interesting 🤔

@caarlos0 caarlos0 closed this Jun 25, 2023
@caarlos0 caarlos0 deleted the gocrypto branch June 25, 2023 17:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@erikgeiser erikgeiser Awaiting requested review from erikgeiser

@djgilcrease djgilcrease Awaiting requested review from djgilcrease

Assignees
No one assigned
Labels
enhancement New feature or request size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@caarlos0 @djgilcrease @erikgeiser