Re: F37 Proposal: Strong crypto settings: phase 3, forewarning 1/2 (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, May 31, 2022 at 08:59:28AM +0200, Petr Pisar wrote:
> V Tue, May 31, 2022 at 08:07:57AM +0200, Alexander Sosedkin napsal(a):
> > On Mon, May 30, 2022 at 10:34 PM Garry T. Williams <gtwilliams@xxxxxxxxx> wrote:
> > > On Friday, April 29, 2022 5:49:05 PM EDT Ben Cotton wrote:
> > > > Cryptographic policies will be tightened in Fedora 38-39,
> > > > SHA-1 signatures will no longer be trusted by default.
> > > > Fedora 37 specifically doesn't come with any change of defaults,
> > > > and this Fedora Change is an advance warning filed for extra visibility.
> > > > Test your setup with FUTURE today and file bugs so you won't get bit
> > > > by Fedora 38-39.
> > > >
> > > After looking in
> > > /usr/share/crypto-policies/policies/modules, I tried again with:
> > >
> > >     $ sudo update-crypto-policies --set FUTURE:SHA1
> > >     Setting system policy to FUTURE:SHA1
> > >
> > > But that didn't get me back.  I got the same error doing dnf upgrade.
> > >
> > > I had to do:
> > >
> > >     $ sudo update-crypto-policies --set DEFAULT
> > >
> > > to get back to dnf working again.
> > >
> > > > file bug reports against the affected components if not filed already.
> > >
> > > I really don't know what "component" to use filing a bug.
> > 
> > Yeah, that seems like a case when
> > the service administrator is the one to be notified.
> 
> Reported to <https://pagure.io/fedora-infrastructure/issue/10737>. The real
> cause is not SHA-1. It's a 2048-bit RSA key of an intermediate certificate.

Right. This has been reported before: 
https://bugzilla.redhat.com/show_bug.cgi?id=1832292

As far as I can tell, we can't get a digicert cert that doesn't use
2048bit CA or intermediate. I think they do offer better/different, but
those are reserved for the EV certs which require a bunch of validation
of your business (which fedoraproject isn't). 

We might be able to replace it with a letsencrypt cert, I've not looked
to see if they have moved to a higher bit CA/intermediate yet. 

But even with that, do note that lots and lots and lots of other
websites will not work at all either, so I don't think setting FUTURE
is too great a experence right now. ;(

kevin

Attachment: signature.asc
Description: PGP signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux