Hi Daniele, You are correct. 3.4.2 does not support rule channels that only use SHA1.
Please contact the other rule channels and tell them to add sha256. We have moved away from SHA1. It should be trivial on their end to generate a sha256sum. Regards, KAM On 10/2/2018 10:00 AM, Daniele Duca wrote: > Hello, > > since updating to 3.4.2 I can't download rules from unofficial > channels. The problem is that in version 3.4.1 sa-update checks the > hash of the downloaded file using file.sha1 , while version 3.4.2 uses > file.sha256 or file.sha512. See the relevant differences in the > following sa-update --help: > > > 3.4.1: > sa-update --help > ... > --install filename Install updates directly from this file. > Signature verification will use "file.asc" and "file.sha1" > ... > > 3.4.2 > sa-update --help > ... > --install filename Install updates directly from this file. > Signature verification will use "file.asc", "file.sha256", and > "file.sha512". > ... > > > Using the --nogpg option doesn't help, sa-update still hardfails if it > doesn't find one of the .sha(256|512) files. > > Reading the code in sa-update I found that even if --nogpg is > specified, the signature file is still tried to be downloaded even if > it's not used afterwards, and that is what basically causes the update > procedure to fail. > For the moment I brutally hacked sa-update to don't care about > signatures when using unofficial channels, but I'd like to understand > if I'm missing something obvious that doesn't require code mangling to > use "old" update channels. > > Thanks > > Daniele Duca > -- Kevin A. McGrail VP Fundraising, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171
