On Tue, Sep 26, 2023 at 6:23 PM Alexander Sosedkin <asosedkin@xxxxxxxxxx> wrote: > > On Tue, Sep 19, 2023 at 7:47 PM Kevin Fenzi <kevin@xxxxxxxxx> wrote: > > > > On Tue, Sep 19, 2023 at 11:19:18AM +0200, Alexander Sosedkin wrote: > > > Hello, > > > > > > 6 months ago, there's been a F38 blocker: https://pagure.io/fesco/issue/2960 > > > Long story short: > > > RPM has moved to sequoia, > > > sequoia has started respecting crypto-policies, > > > Google repos have been signed with a 1024-bit DSA key, > > > Google Chrome was not installable => F38 blocker. > > > Back at the time, it's been hastily "resolved" > > > by relaxing RPM security through crypto-policies > > > just enough to tolerate that Google signature: > > > https://bugzilla.redhat.com/show_bug.cgi?id=2170878 > > > https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/129 > > > > > > Since then it has been brought to my attention that > > > Google has now added a 4096 bit RSA key > > > https://www.google.com/linuxrepositories/ > > > (EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796) > > > > > > Because of that, I'd like to revert that RPM policy relaxation > > > https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/a12f7b20638be8f872ad1995c7d2edce41c227b5 > > > in (f39) rawhide and align RPM security with the rest of the policy. > > > > > > Thoughts / feedback? > > > > It might be good to go through all the ones that were hit by this (it > > wasn't just chrome) and indicate if they are now fixed. > > You can see a partial list in the common bug: > > > > https://discussion.fedoraproject.org/t/popular-third-party-rpms-fail-to-install-update-remove-due-to-security-policies-verification/70498 > > > > and in the discussion off it. > > Whoa, that's too many, I suspect misreporting. > I seriously doubt they were all really using DSA-1024 and switched over. > But if that really was the case --- great job to all of them. > > > The list from there: > > Google Chrome (RPM signature rejected, repo key rejected) > Repo has added RSA-4096, RPM is signed with SHA-512, installs > > > Microsoft Edge (repo key rejected) > RSA-2048, RPM is signed with SHA-256, installs > > > Dropbox (repo key rejected) > RSA-2048, RPM is signed with SHA-512 > > > Skype (repo key rejected) > RSA-2048 / SHA-512 > > > Visual Studio Code (repo key rejected) > RSA-2048 / SHA-256 (let's name a package `code`. outstanding move) > > > Sublime Text (repo key rejected) > RSA-4096 / SHA-256 > > > Microsoft Teams (repo key rejected) > RSA-2048, but https://packages.microsoft.com/yumrepos/ms-teams/repodata > looks barren I believe MS has end of life the dedicated Linux Teams app and possibly viewer and only support the web app now. > > TeamViewer (repo key rejected) > RSA-4096 / SHA-256 > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
