Branch: refs/heads/INFRA-717
Home: https://github.com/jenkinsci/packaging
Commit: 3800e72ada2e26352cd9b0941557bdf1e5cfecbf
https://github.com/jenkinsci/packaging/commit/3800e72ada2e26352cd9b0941557bdf1e5cfecbf
Author: Kohsuke Kawaguchi <k...@kohsuke.org>
Date: 2016-11-01 (Tue, 01 Nov 2016)
Changed paths:
M deb/publish/publish.sh
Log Message:
-----------
[INFRA-717] sign with SHA-2
Debian upstream and Ubuntu 16.04 started deprecating SHA1, which is
currently used for signing. This explicit command line option changes
the hash algorithm for dsig, removing a warning.
The upstream documentation mentions that the key has to be first
upgraded to RSA/2048, but according to my experiment, this was not
required to make `apt-get update` happy.
While using a stronger key would be preferrable, it has a wider impact;
specifically, it would start breaking signature checks for existing
users who have already run `apt-key add jenkins-ci.org.key` long time
ago. The packaging script uses the same GPG key for all the platforms,
so this impact will be felt by users of RPMs, too.
To start the eventual key switching, I've updated my jenkins-ci.org.key
to contain the current key as well as the new RSA/4096 key. Starting
today, users installing RPM/DEB packages will get both keys, so when we
eventually switch the signing key, the impact will be less.
--
You received this message because you are subscribed to the Google Groups
"Jenkins Commits" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-commits+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
