Re: Intention to tighten RPM crypto-policy back

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Tue, Sep 19, 2023 at 7:47 PM Kevin Fenzi <kevin@xxxxxxxxx> wrote:
> On Tue, Sep 19, 2023 at 11:19:18AM +0200, Alexander Sosedkin wrote:
> > Hello,
> >
> > 6 months ago, there's been a F38 blocker:
> > Long story short:
> > RPM has moved to sequoia,
> > sequoia has started respecting crypto-policies,
> > Google repos have been signed with a 1024-bit DSA key,
> > Google Chrome was not installable => F38 blocker.
> > Back at the time, it's been hastily "resolved"
> > by relaxing RPM security through crypto-policies
> > just enough to tolerate that Google signature:
> >
> >
> >
> > Since then it has been brought to my attention that
> > Google has now added a 4096 bit RSA key
> >
> > (EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796)
> >
> > Because of that, I'd like to revert that RPM policy relaxation
> >
> > in (f39) rawhide and align RPM security with the rest of the policy.
> >
> > Thoughts / feedback?
> It might be good to go through all the ones that were hit by this (it
> wasn't just chrome) and indicate if they are now fixed.
> You can see a partial list in the common bug:
> and in the discussion off it.

Whoa, that's too many, I suspect misreporting.
I seriously doubt they were all really using DSA-1024 and switched over.
But if that really was the case --- great job to all of them.

> The list from there:
>     Google Chrome (RPM signature rejected, repo key rejected)
Repo has added RSA-4096, RPM is signed with SHA-512, installs

>     Microsoft Edge (repo key rejected)
RSA-2048, RPM is signed with SHA-256, installs

>     Dropbox (repo key rejected)
RSA-2048, RPM is signed with SHA-512

>     Skype (repo key rejected)
RSA-2048 / SHA-512

>     Visual Studio Code (repo key rejected)
RSA-2048 / SHA-256 (let's name a package `code`. outstanding move)

>     Sublime Text (repo key rejected)
RSA-4096 / SHA-256

>     Microsoft Teams (repo key rejected)
RSA-2048, but
looks barren

>     TeamViewer (repo key rejected)
RSA-4096 / SHA-256
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct:
List Guidelines:
List Archives:
Do not reply to spam, report it:

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux