On Tue, 2023-02-28 at 09:10 +0100, Ralf Corsépius wrote: > Hi, > > on f38, I am unable to install any locally built package (signed with a > local key, I have been using for many years): "Many years" is likely the problem. It's probably using SHA-1 or DSA. See, for e.g., https://bugzilla.redhat.com/show_bug.cgi?id=2170878 . Those are now known to be insecure. That bug covers some awkward problems with widely-used third parties still using insecure keys to sign their packages, which likely means this will get put off (one way or another) to at least Fedora 39. But for your own locally built packages, which are under your control, you can solve it permanently right now: generate a new key using a secure algorithm, and re-sign your packages with that. > What are people supposed to do? See above. -- Adam Williamson (he/him/his) Fedora QA Fedora Chat: @adamwill:fedora.im | Mastodon: @adamw@xxxxxxxxxxxxx https://www.happyassassin.net _______________________________________________ test mailing list -- test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to test-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/test@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
