Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

Sync from "Extern...

XML

Word

Printable

Type: Story
Resolution: Unresolved
Priority: Major
Fix Version/s: rhel-9.7
Affects Version/s: rhel-9.6
Component/s: dnf-plugins-core
Labels:

Fixed in Build:
dnf-plugins-core-4.3.0-22.el9
Severity:
Moderate
Epic Link:
SWM-3708
Keywords:

FutureFeature

AssignedTeam:
rhel-swm

Dev Target Milestone:
26
Internal Target Milestone:
26
Story Points:
8
ACKs Check:

QE ack, Dev ack
Target Version:

rhel-9.7
Blocked:
False
Ready:
False
Blocked Reason:

Hide

pqrpm dependency is ready. I'd like to try to add this DNF plugin into a regular release of RHEL 9.7.

Show
pqrpm dependency is ready. I'd like to try to add this DNF plugin into a regular release of RHEL 9.7.
Product Documentation Required:
Yes
Sprint:
None

Acceptance Criteria:
Hide

After installing python3-dnf-plugin-multisig package and having enabled a repository with postquantum-safe key and a package with RPMv6 signature made with the key:

"dnf install CORRECTLY_SIGNED_PACKAGE" will succeeds after (automatically or interactively) importing the key.

"dnf install INCORRECTLY_SIGNED_PACKAGE" will fail.

"dnf install UNSIGNED_PACKAGE" will fail.

Besides, installing packages with classical RPMv4 signature will behave with respect to signature verification as usual. The only acceptable side effect will be multiple import of classical singing key (once for system rpm, once for pqrpm).
Show
After installing python3-dnf-plugin-multisig package and having enabled a repository with postquantum-safe key and a package with RPMv6 signature made with the key: "dnf install CORRECTLY_SIGNED_PACKAGE" will succeeds after (automatically or interactively) importing the key. "dnf install INCORRECTLY_SIGNED_PACKAGE" will fail. "dnf install UNSIGNED_PACKAGE" will fail. Besides, installing packages with classical RPMv4 signature will behave with respect to signature verification as usual. The only acceptable side effect will be multiple import of classical singing key (once for system rpm, once for pqrpm).
Test Plan:
https://pkgs.devel.redhat.com/cgit/tests/dnf-plugins-core/tree/plans/errata.fmf
Git Pull Request:
https://github.com/rpm-software-management/dnf-plugins-core/pull/587, https://gitlab.com/redhat/centos-stream/rpms/dnf-plugins-core/-/merge_requests/52
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/147728
Gating Tests:

Enabled
Test Coverage:

Automated

Release Note Type:
Enhancement
Release Note Text:

Hide
.DNF can verify RPMv6 signatures on RPM packages

Quantum-safe cryptography guarantees integrity and origin of software. However, in quantum computing, standard asymmetric cryptography algorithms, such as RSA, are no longer relevant. With this update, you can use the new `multisig` DNF plugin to verify RPMv6 signatures on RPM packages, in addition to standard RPMv4 signatures. RPMv6 signatures can be based on quantum-safe algorithms, such as ML-DSA.

To verify RPMv6 signatures, you can install the `multisig` plugin through the `python3-dnf-plugin-multisig` RPM package.

NOTE: Successful verification is a prerequisite for installing, reinstalling, upgrading, or downgrading packages from a repository that has the `gpgcheck` option set to `True`.

Show
.DNF can verify RPMv6 signatures on RPM packages Quantum-safe cryptography guarantees integrity and origin of software. However, in quantum computing, standard asymmetric cryptography algorithms, such as RSA, are no longer relevant. With this update, you can use the new `multisig` DNF plugin to verify RPMv6 signatures on RPM packages, in addition to standard RPMv4 signatures. RPMv6 signatures can be based on quantum-safe algorithms, such as ML-DSA. To verify RPMv6 signatures, you can install the `multisig` plugin through the `python3-dnf-plugin-multisig` RPM package. NOTE: Successful verification is a prerequisite for installing, reinstalling, upgrading, or downgrading packages from a repository that has the `gpgcheck` option set to `True`.
Release Note Status:
Done
ProdDocsReview-CCS:
Done
ProdDocsReview-Dev:
Done
ProdDocsReview-QE:
Not Required

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

To support postquantum signatures in RHEL 9 DNF, an optional "multisig" DNF plugin will be added as python3-dnf-plugin-multisig RPM subpackage. This is a packaging activity for this https://github.com/rpm-software-management/dnf-plugins-core/pull/587 upstream feature.

This depends on adding "pqrpm" package into RHEL 9 as python3-dnf-plugin-multisig will run-require it.

depends on

RHEL-102336 Obsolete python3-dnf-plugin-multisig in RHEL 10

Release Pending

links to

RHBA-2025:147728 dnf-plugins-core bug fix and enhancement update

mentioned in: Page Loading...

Assignee:: Petr Pisar

Reporter:: Petr Pisar

Developer:: Petr Pisar

QA Contact:: Eva Mrakova

Doc Contact:: Mariya Pershina

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2025/06/25 2:18 PM

Updated:: 2025/10/06 1:48 PM

Dev Target end:: 2025/08/25

Target end:: 2025/08/25

Next Planned Release Date:: 2025/11/11

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide