Re: Intention to tighten RPM crypto-policy back

Thu, 28 Sep 2023 05:06:34 -0700 

On 9/27/23 20:37, Alexander Sosedkin wrote:

On Tue, Sep 19, 2023 at 11:19 AM Alexander Sosedkin
<asosed...@redhat.com> wrote:


Hello,

6 months ago, there's been a F38 blocker: https://pagure.io/fesco/issue/2960
Long story short:
RPM has moved to sequoia,
sequoia has started respecting crypto-policies,
Google repos have been signed with a 1024-bit DSA key,
Google Chrome was not installable => F38 blocker.
Back at the time, it's been hastily "resolved"
by relaxing RPM security through crypto-policies
just enough to tolerate that Google signature:
https://bugzilla.redhat.com/show_bug.cgi?id=2170878
https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/129

Since then it has been brought to my attention that
Google has now added a 4096 bit RSA key
https://www.google.com/linuxrepositories/
(EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796)

Because of that, I'd like to revert that RPM policy relaxation
https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/a12f7b20638be8f872ad1995c7d2edce41c227b5
in (f39) rawhide and align RPM security with the rest of the policy.

Thoughts / feedback?


OK, I've messed up.

Clemens Lang has kindly pointed me at a flaw in my testing.
Basically, nothing is as rosy as I've previously shown
because of SHA-1 signatures in the keys.
In fact, even Chrome can't be installed with the change properly reverted.
Guess I'll have to shelve the wide discussion for a while, we aren't ready. =(




AIUI the current issue with Chrome is more that they still include the 
old SHA-1 based key in their repo along with the newer one in a way that 
confuses rpm.


        - Panu -
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue























					Reply via email to