> On Sun, 2015-05-24 at 12:32 -0400, Andrew Schulman wrote:
> > Since the latest update to openssh, ssh-keygen's output format for key
> > fingerprints has changed. The default hash algorithm is now base64-encoded
> > SHA256 instead of MD5, and the hash name precedes its value, like
> >
> > SHA256:lvRrjAXmEhzDp5kQqzelsei8s5hXJ+zLaqJ2yiGXmYc
> >
> > This breaks the current logic for detecting key fingerprints in cygport's
> > lib/pkg_upload.cygpart. The attached patch fixes the problem. (You might
> > know
> > a more precise regex for the base64-encoded hash value than I do. I
> > couldn't
> > find any documentation of it anywhere, and just settled for
> >
> > SHA256:.{44}
>
> There's another problem: this is new to 6.8; any out-of-date Cygwin
> systems, or even current RHEL or Fedora 21 systems, won't have this, nor
> do they support the -E flag which could be used to specify md5.
>
> Any thoughts on a better regex or on keeping compatibility with other
> systems?
Right, OK. See the attached revised patch, which uses
[0-9a-f]{2}(:[0-9a-f]{2}){15}|SHA256:.{44}
to detect the key fingerprint. The left side is the same as now, for pre-6.8
systems, which use MD5 without a label. The right side is for version 6.8 and
later, where the default is SHA256 with the label 'SHA256:' prepended. So this
should cover all cases.
Andrew
pkg_upload_key_fingerprint.patch
Description: Binary data
