New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move yum repositories from SHA-1 to SHA256 signatures #674
Comments
I'm pretty sure that jfrog generates these files but I'll look at what can be changed |
Maybe you have to migrate your Artifactory checksums from SHA1 to SHA-256: https://jfrog.com/help/r/jfrog-installation-setup-documentation/sha-256-support |
@gdams any news regarding this? |
@netsandbox I got a response from the support team asking me to double check but from what I can tell we already support SHA256 sums:
|
You can recreate this by running: |
@gdams The problem are not the checksums in your package, the problem exist in your package repository. |
This was also correctly mentioned in the first comment #674 (comment) fgrom @sxa |
@netsandbox are you happy for me to add you to the JFrog support ticket? I can use your email in GitHub |
@gdams Sure! |
@gdams is there any update regarding this? We stumbled upon this as we're mirroring many different Linux repos for our Linux clients and recently wanted to add the the adoptium repository. Same as @netsandbox we're using Pulp to mirror packets which follows the recommendation to not allow SHA-1 repo checksums. While it is possible to manually allow SHA-1 checksums so we can mirror the adoptium repo, this has implications the global security configuration, affecting all our other repos as well, which we'd like to avoid. |
@sxa @gdams @smlambert next month is the one year anniversary of this issue. As this is also a security related issue, I would never expect that this would take you so long to fix this. Can you give me an estimation when this will be finally fixed? |
Removing the PMC agenda label. This is a task that has been outstanding for some time with JFrog (the artifactory provider). It has been noted about the nature and urgency of this issue. |
Raised by a user on the eclipse security list. We are currently using SHA-1 checksums in places such as https://packages.adoptium.net/ui/api/v1/download/contentBrowsing/rpm/rocky/8/ppc64le/repodata/repomd.xml?isNativeBrowsing=true but as per this Red Hat article it is not recommended to do so now and so we should aim to migrate to SHA256 for our rpm signing.
The text was updated successfully, but these errors were encountered: