On Tue, May 31, 2022 at 08:59:28AM +0200, Petr Pisar wrote: > V Tue, May 31, 2022 at 08:07:57AM +0200, Alexander Sosedkin napsal(a): > > On Mon, May 30, 2022 at 10:34 PM Garry T. Williams <gtwilli...@gmail.com> > > wrote: > > > On Friday, April 29, 2022 5:49:05 PM EDT Ben Cotton wrote: > > > > Cryptographic policies will be tightened in Fedora 38-39, > > > > SHA-1 signatures will no longer be trusted by default. > > > > Fedora 37 specifically doesn't come with any change of defaults, > > > > and this Fedora Change is an advance warning filed for extra visibility. > > > > Test your setup with FUTURE today and file bugs so you won't get bit > > > > by Fedora 38-39. > > > > > > > After looking in > > > /usr/share/crypto-policies/policies/modules, I tried again with: > > > > > > $ sudo update-crypto-policies --set FUTURE:SHA1 > > > Setting system policy to FUTURE:SHA1 > > > > > > But that didn't get me back. I got the same error doing dnf upgrade. > > > > > > I had to do: > > > > > > $ sudo update-crypto-policies --set DEFAULT > > > > > > to get back to dnf working again. > > > > > > > file bug reports against the affected components if not filed already. > > > > > > I really don't know what "component" to use filing a bug. > > > > Yeah, that seems like a case when > > the service administrator is the one to be notified. > > Reported to <https://pagure.io/fedora-infrastructure/issue/10737>. The real > cause is not SHA-1. It's a 2048-bit RSA key of an intermediate certificate.
Right. This has been reported before: https://bugzilla.redhat.com/show_bug.cgi?id=1832292 As far as I can tell, we can't get a digicert cert that doesn't use 2048bit CA or intermediate. I think they do offer better/different, but those are reserved for the EV certs which require a bunch of validation of your business (which fedoraproject isn't). We might be able to replace it with a letsencrypt cert, I've not looked to see if they have moved to a higher bit CA/intermediate yet. But even with that, do note that lots and lots and lots of other websites will not work at all either, so I don't think setting FUTURE is too great a experence right now. ;( kevin
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
