Move yum repositories from SHA-1 to SHA256 signatures

[sxa]

Raised by a user on the eclipse security list. We are currently using SHA-1 checksums in places such as https://packages.adoptium.net/ui/api/v1/download/contentBrowsing/rpm/rocky/8/ppc64le/repodata/repomd.xml?isNativeBrowsing=true but as per this Red Hat article it is not recommended to do so now and so we should aim to migrate to SHA256 for our rpm signing.

[gdams]

I'm pretty sure that jfrog generates these files but I'll look at what can be changed

[netsandbox]

Maybe you have to migrate your Artifactory checksums from SHA1 to SHA-256: https://jfrog.com/help/r/jfrog-installation-setup-documentation/sha-256-support

[netsandbox]

@gdams any news regarding this?

[gdams]

@netsandbox I got a response from the support team asking me to double check but from what I can tell we already support SHA256 sums:

  Installing       : temurin-17-jdk-17.0.8.1.0.1-1.aarch64                                                                                                              17/17 
D: ========== +++ temurin-17-jdk-17.0.8.1.0.1-1 aarch64-linux 0x0
D: temurin-17-jdk-17.0.8.1.0.1-1.aarch64: Header V4 RSA/SHA256 Signature, key ID 65f8f04b: OK
D: temurin-17-jdk-17.0.8.1.0.1-1.aarch64: Header SHA256 digest: OK
D: temurin-17-jdk-17.0.8.1.0.1-1.aarch64: Header SHA1 digest: OK
D:   install: temurin-17-jdk-17.0.8.1.0.1-1.aarch64 has 537 files

[gdams]

You can recreate this by running: dnf install -y -v temurin-17-jdk --rpmverbosity=debug

[netsandbox]

@gdams The problem are not the checksums in your package, the problem exist in your package repository.
I noticed this when I started to mirror your repository to our company internal Pulp3 server.
I had to add sha1 to pulp's ALLOWED_CONTENT_CHECKSUMS configuration to be able to mirror your repository.

[netsandbox]

This was also correctly mentioned in the first comment #674 (comment) fgrom @sxa

[gdams]

@netsandbox are you happy for me to add you to the JFrog support ticket? I can use your email in GitHub

[netsandbox]

@netsandbox are you happy for me to add you to the JFrog support ticket? I can use your email in GitHub

@gdams Sure!

[GeorgFleig]

@gdams is there any update regarding this?

We stumbled upon this as we're mirroring many different Linux repos for our Linux clients and recently wanted to add the the adoptium repository. Same as @netsandbox we're using Pulp to mirror packets which follows the recommendation to not allow SHA-1 repo checksums. While it is possible to manually allow SHA-1 checksums so we can mirror the adoptium repo, this has implications the global security configuration, affecting all our other repos as well, which we'd like to avoid.

[netsandbox]

@sxa @gdams @smlambert next month is the one year anniversary of this issue.

As this is also a security related issue, I would never expect that this would take you so long to fix this.

Can you give me an estimation when this will be finally fixed?

[tellison]

Removing the PMC agenda label. This is a task that has been outstanding for some time with JFrog (the artifactory provider). It has been noted about the nature and urgency of this issue.