Hi, > On 28. Sep 2023, at 14:06, Panu Matilainen <pmatilai@xxxxxxxxxx> wrote: > > On 9/27/23 20:37, Alexander Sosedkin wrote: >> >> In fact, even Chrome can't be installed with the change properly reverted. >> Guess I'll have to shelve the wide discussion for a while, we aren't ready. =( > > AIUI the current issue with Chrome is more that they still include the old SHA-1 based key in their repo along with the newer one in a way that confuses rpm. Yes, I think that’s what’s happening here. Alex filed https://bugzilla.redhat.com/2241019 about this. I think the importer should be modified to attempt to import all keys in a file and ignore those that fail. The other alternative is that all keys should be imported regardless of whether they will be considered usable for verification, and verification of RPMs will later fail if those keys are used. -- Clemens Lang RHEL Crypto Team Red Hat _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
