On 9/27/23 20:37, Alexander Sosedkin wrote:
On Tue, Sep 19, 2023 at 11:19 AM Alexander Sosedkin
<asosedkin@xxxxxxxxxx> wrote:
Hello,
6 months ago, there's been a F38 blocker: https://pagure.io/fesco/issue/2960
Long story short:
RPM has moved to sequoia,
sequoia has started respecting crypto-policies,
Google repos have been signed with a 1024-bit DSA key,
Google Chrome was not installable => F38 blocker.
Back at the time, it's been hastily "resolved"
by relaxing RPM security through crypto-policies
just enough to tolerate that Google signature:
https://bugzilla.redhat.com/show_bug.cgi?id=2170878
https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/129
Since then it has been brought to my attention that
Google has now added a 4096 bit RSA key
https://www.google.com/linuxrepositories/
(EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796)
Because of that, I'd like to revert that RPM policy relaxation
https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/a12f7b20638be8f872ad1995c7d2edce41c227b5
in (f39) rawhide and align RPM security with the rest of the policy.
Thoughts / feedback?
OK, I've messed up.
Clemens Lang has kindly pointed me at a flaw in my testing.
Basically, nothing is as rosy as I've previously shown
because of SHA-1 signatures in the keys.
In fact, even Chrome can't be installed with the change properly reverted.
Guess I'll have to shelve the wide discussion for a while, we aren't ready. =(
AIUI the current issue with Chrome is more that they still include the
old SHA-1 based key in their repo along with the newer one in a way that
confuses rpm.
- Panu -
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue