On Friday, April 29, 2022 5:49:05 PM EDT Ben Cotton wrote:
> Cryptographic policies will be tightened in Fedora 38-39,
> SHA-1 signatures will no longer be trusted by default.
> Fedora 37 specifically doesn't come with any change of defaults,
> and this Fedora Change is an advance warning filed for extra visibility.
> Test your setup with FUTURE today and file bugs so you won't get bit
> by Fedora 38-39.
[snip]
In case you want some feedback,
> Install crypto-policies-scripts package and switch to a more restrictive
> policy
> with either `update-crypto-policies --set FUTURE`
> or `update-crypto-policies --set TEST-FEDORA39`.
>
> Proceed to use the system as usual,
> identify the workflows which are broken by this change.
I did that and several days later I did:
$ sudo dnf upgrade --enablerepo=updates-testing
Errors during downloading metadata for repository 'fedora':
- Curl error (60): SSL peer certificate or SSH remote key was not OK for
https://mirrors.fedoraproject.org/metalink?repo=fedora-36&arch=x86_64&countme=3
[SSL certificate problem: CA certificate key too weak]
- Curl error (60): SSL peer certificate or SSH remote key was not OK for
https://mirrors.fedoraproject.org/metalink?repo=fedora-36&arch=x86_64 [SSL
certificate problem: CA certificate key too weak]
Error: Failed to download metadata for repo 'fedora': Cannot prepare
internal mirrorlist: Curl error (60): SSL peer certificate or SSH remote key
was not OK for
https://mirrors.fedoraproject.org/metalink?repo=fedora-36&arch=x86_64 [SSL
certificate problem: CA certificate key too weak]
> Verify that the broken functionality works again
> if you the policy is relaxed back
> with, e.g., `update-crypto-policies --set FUTURE:SHA-1`,
This was a problem:
$ sudo update-crypto-policies --set FUTURE:SHA-1
Unknown policy `SHA-1`: file `SHA-1.pmod` not found in (.,
policies/modules, /etc/crypto-policies/policies/modules,
/usr/share/crypto-policies/policies/modules)
That seems like a typo. After looking in
/usr/share/crypto-policies/policies/modules, I tried again with:
$ sudo update-crypto-policies --set FUTURE:SHA1
Setting system policy to FUTURE:SHA1
But that didn't get me back. I got the same error doing dnf upgrade.
I had to do:
$ sudo update-crypto-policies --set DEFAULT
to get back to dnf working again.
> file bug reports against the affected components if not filed already.
I really don't know what "component" to use filing a bug.
--
Garry T. Williams
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
