Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lib/, bin/: fix signature type, now called *.sig2 #565

Merged
merged 3 commits into from
Aug 30, 2023
Merged

lib/, bin/: fix signature type, now called *.sig2 #565

merged 3 commits into from
Aug 30, 2023

Conversation

classabbyamp
Copy link
Member

@classabbyamp classabbyamp commented Aug 8, 2023
edited
Loading

Since 8d5c48b, xbps has used a sha1 ASN1 prefix with a sha256 hash, and as of openssl v3, openssl cares about this. This works around that in a compatible way by moving to a second sig file, binpkg.sig2.

For xbps-remove -O and xbps-rindex -r, also clean up obselete .sig files.

Tested

  • xbps-rindex -S of a package to generate a .sig2
  • xbps-rindex -r of a package with both .sig and .sig2
  • xbps-remove -O of a package with both .sig and .sig2 in cache
  • xbps-install of a package with a .sig2
  • upgrade of xbps with this patch applied works (requires a couple minor changes to rebase and apply cleanly on 0.59.1)
  • upgrading openssl to v3 and using xbps with it (see this branch)

This will require

  1. an external signing utility that can sign new versions of xbps with the old signature format to allow for installation of the fixed version (like this)
  2. probably some manual intervention for initially signing all packages with the new .sig2

Questions

  1. should old .sigs be removed from the repos?
  2. are there any infra implications that will need to be updated to deal with the new .sig2 files? downstream mirrors filtering their rsyncs?

closes #544
fixes #531
fixes #480

@classabbyamp
lib/, bin/: fix signature type, now called *.sig2
2356df0 
Since 8d5c48b, xbps has used a sha1 ASN1 prefix with a sha256 hash, and
as of openssl v3, openssl cares about this. This works around that in a
compatible way by moving to a second sig file, binpkg.sig2.

For xbps-remove -O and xbps-rindex -r, also clean up obselete .sig files.
@classabbyamp
configure: workaround for openssl3 compat
79bffee
@classabbyamp classabbyamp mentioned this pull request Aug 11, 2023
Merged
@classabbyamp
lib/transaction_fetch.c: don't rely on digest being NULL
51e886b 
caused issues when .xbps existed locally but .sig2 did not.
@Duncaen Duncaen merged commit f68893e into void-linux:master Aug 30, 2023
6 checks passed
@classabbyamp classabbyamp deleted the sig2 branch August 30, 2023 19:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Unable to build xbps xbps signatures use SHA256 hash with SHA1 DigestInfo
2 participants
@classabbyamp @Duncaen