Add SHA256 Digests to RPM Packages

Question

I want to add the SHA256 digests for header and payload to my RPM packages.

currently, it is building with sha1 digest.

below is the output for rpm --checksig --verbose pkg_name.rpm

    Header SHA1 digest: OK
    MD5 digest: OK

Environment - RHEL6

Here is what I tried so far

• Upgrade the RPM to version 4.14.3. which supports the sha256 as default algo for digests.
• override macros for the digest algorithm by adding the below lines in $HOME/.rpmmacros file or /etc/rpm/macros file reference

%_source_filedigest_algorithm 8
%_binary_filedigest_algorithm 8

• Add the above macros in pkg.spec file as below which is being passed to rpmbuild command

%define _source_filedigest_algorithm 8
%define _binary_filedigest_algorithm 8

but none of the above solutions worked for me and after rebuilding I still see my package is building with sha1 and md5 as digest algo.

please note the output of rpm --showrc | grep "digest_algo" command for each of the above solution is as below

-13: _binary_filedigest_algorithm       8
-13: _source_filedigest_algorithm       8

Answer 1

Create the file .rpmmacros in the home folder of the user which builds the RPM package and put this content in this file:

%_gpg_name My Key ID
%_gpg_digest_algo sha256
%_binary_filedigest_algorithm SHA256
%_source_filedigest_algorithm SHA256 
%__gpg_sign_cmd %{__gpg} \
gpg --force-v3-sigs --batch --no-verbose --no-armor --passphrase "%{getenv:KEYPASSWORD}" \
%{?_gpg_digest_algo:--digest-algo %{_gpg_digest_algo}} \
--no-secmem-warning \
-u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}

• Replace "My Key ID" with the name of the generated GPG key
• Set the environment variable KEYPASSWORD

Then you can add a signature with the following command:

rpmsign --addsign package.rpm

NOTE: You need rpm >= 4.14.3

Reference to supported macros