On Mon, May 30, 2022 at 10:34 PM Garry T. Williams <gtwilliams@xxxxxxxxx> wrote: > > On Friday, April 29, 2022 5:49:05 PM EDT Ben Cotton wrote: > > Cryptographic policies will be tightened in Fedora 38-39, > > SHA-1 signatures will no longer be trusted by default. > > Fedora 37 specifically doesn't come with any change of defaults, > > and this Fedora Change is an advance warning filed for extra visibility. > > Test your setup with FUTURE today and file bugs so you won't get bit > > by Fedora 38-39. > > [snip] > > In case you want some feedback, Thank you for taking time to do that. > > Install crypto-policies-scripts package and switch to a more restrictive policy > > with either `update-crypto-policies --set FUTURE` > > or `update-crypto-policies --set TEST-FEDORA39`. > > > > Proceed to use the system as usual, > > identify the workflows which are broken by this change. > > I did that and several days later I did: > > $ sudo dnf upgrade --enablerepo=updates-testing > Errors during downloading metadata for repository 'fedora': > - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.fedoraproject.org/metalink?repo=fedora-36&arch=x86_64&countme=3 [SSL certificate problem: CA certificate key too weak] > - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.fedoraproject.org/metalink?repo=fedora-36&arch=x86_64 [SSL certificate problem: CA certificate key too weak] > Error: Failed to download metadata for repo 'fedora': Cannot prepare internal mirrorlist: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.fedoraproject.org/metalink?repo=fedora-36&arch=x86_64 [SSL certificate problem: CA certificate key too weak] > > > Verify that the broken functionality works again > > if you the policy is relaxed back > > with, e.g., `update-crypto-policies --set FUTURE:SHA-1`, > > This was a problem: > > $ sudo update-crypto-policies --set FUTURE:SHA-1 > Unknown policy `SHA-1`: file `SHA-1.pmod` not found in (., policies/modules, /etc/crypto-policies/policies/modules, /usr/share/crypto-policies/policies/modules) > > That seems like a typo. Indeed, thanks for spotting. Fixed in two places. > After looking in > /usr/share/crypto-policies/policies/modules, I tried again with: > > $ sudo update-crypto-policies --set FUTURE:SHA1 > Setting system policy to FUTURE:SHA1 > > But that didn't get me back. I got the same error doing dnf upgrade. > > I had to do: > > $ sudo update-crypto-policies --set DEFAULT > > to get back to dnf working again. > > > file bug reports against the affected components if not filed already. > > I really don't know what "component" to use filing a bug. Yeah, that seems like a case when the service administrator is the one to be notified. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
