[jenkinsci/packaging] 3800e7: [INFRA-717] sign with SHA-2

Tue, 01 Nov 2016 14:32:28 -0700 

  Branch: refs/heads/master
  Home:   https://github.com/jenkinsci/packaging
  Commit: 3800e72ada2e26352cd9b0941557bdf1e5cfecbf
      
https://github.com/jenkinsci/packaging/commit/3800e72ada2e26352cd9b0941557bdf1e5cfecbf
  Author: Kohsuke Kawaguchi <k...@kohsuke.org>
  Date:   2016-11-01 (Tue, 01 Nov 2016)

  Changed paths:
    M deb/publish/publish.sh

  Log Message:
  -----------
  [INFRA-717] sign with SHA-2

Debian upstream and Ubuntu 16.04 started deprecating SHA1, which is
currently used for signing. This explicit command line option changes
the hash algorithm for dsig, removing a warning.

The upstream documentation mentions that the key has to be first
upgraded to RSA/2048, but according to my experiment, this was not
required to make `apt-get update` happy.

While using a stronger key would be preferrable, it has a wider impact;
specifically, it would start breaking signature checks for existing
users who have already run `apt-key add jenkins-ci.org.key` long time
ago. The packaging script uses the same GPG key for all the platforms,
so this impact will be felt by users of RPMs, too.

To start the eventual key switching, I've updated my jenkins-ci.org.key
to contain the current key as well as the new RSA/4096 key. Starting
today, users installing RPM/DEB packages will get both keys, so when we
eventually switch the signing key, the impact will be less.


  Commit: e50139c6804bbaf77942fc4db024c4e27509ac78
      
https://github.com/jenkinsci/packaging/commit/e50139c6804bbaf77942fc4db024c4e27509ac78
  Author: R. Tyler Croy <ty...@monkeypox.org>
  Date:   2016-11-01 (Tue, 01 Nov 2016)

  Changed paths:
    M deb/publish/publish.sh

  Log Message:
  -----------
  Merge pull request #80 from jenkinsci/INFRA-717

[INFRA-717] sign with SHA-2


Compare: 
https://github.com/jenkinsci/packaging/compare/008343f65cd2...e50139c6804b

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Commits" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-commits+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to