spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevin A. McGrail" <kmcgr...@apache.org>
Subject Re: sa-update and signature verification
Date Tue, 02 Oct 2018 14:40:05 GMT
Hi Daniele, You are correct.  3.4.2 does not support rule channels that
only use SHA1.

Please contact the other rule channels and tell them to add sha256.  We
have moved away from SHA1.  It should be trivial on their end to
generate a sha256sum.

Regards,
KAM

On 10/2/2018 10:00 AM, Daniele Duca wrote:
> Hello,
>
> since updating to 3.4.2 I can't download rules from unofficial
> channels. The problem is that in version 3.4.1 sa-update checks the
> hash of the downloaded file using file.sha1 , while version 3.4.2 uses
> file.sha256 or file.sha512. See the relevant differences in the
> following sa-update --help:
>
>
> 3.4.1:
> sa-update --help
> ...
> --install filename      Install updates directly from this file.
> Signature verification will use "file.asc" and "file.sha1"
> ...
>
> 3.4.2
> sa-update --help
> ...
> --install filename      Install updates directly from this file.
> Signature verification will use "file.asc", "file.sha256", and
> "file.sha512".
> ...
>
>
> Using the --nogpg option doesn't help, sa-update still hardfails if it
> doesn't find one of the .sha(256|512) files.
>
> Reading the code in sa-update I found that even if --nogpg is
> specified, the signature file is still tried to be downloaded even if
> it's not used afterwards, and that is what basically causes the update
> procedure to fail.
> For the moment I brutally hacked sa-update to don't care about
> signatures when using unofficial channels, but I'd like to understand
> if I'm missing something obvious that doesn't require code mangling to
> use "old" update channels.
>
> Thanks
>
> Daniele Duca
>

-- 
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171


Mime
View raw message