RPMs are currently signed using a DSA key and a SHA-1 message digest. SHA-1 has known weaknesses, we should migrate to signatures that use a SHA-2 hash. See https://fedoraproject.org/wiki/Features/StrongerHashes for more detailed rationale. RPM currently supports SHA-2 only with RSA keys. The key size should be at least 2048 bits, which [1] claims achieves algorithm strength of 112 bits (with SHA-256 strength of 128 bits, the result is the smaller value, i.e. 112 bits). So, the Fedora 11 key should be a RSA key with key size at least 2048 bits. To use SHA-256 with the key, define the following macro: --define '__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --digest-algo sha256 --batch --no-verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}' (--force-v3 sigs is necessary due to #436812). This creates RPMs that can be handled by rpm at least since RHEL5 (rpm-4.4.2). [1] http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf
To generate such signatures using sigul, update to sigul-0.92 (from http://people.redhat.com/mitr/rpmsigner ) and configure it to use SHA-256: echo 'personal-digest-preferences sha256 sha1'> /var/lib/sigul/gnupg/gpg.conf (this affects all keys managed by this sigul installation, but the default 1024-bit DSA keys can only use a 160-bit hash, so SHA-1 will be used for 1024-bit DSA keys, the same as if this preference were not set.) When signing RPMs, use (sigul sign-rpm --v3-signature ...), which passes --force-v3-sigs to rpm --addsign.
Our sign_unsigned code now is able to support the larger sigs. A 4096bit RSA gpg key has been created for Fedora 11 Test and packages are currently being signed.