Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-101952

Rebase rpm-sequoia to include PQC and support for OpenPGP v6

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • rust-rpm-sequoia-1.9.0.1-1.el10
    • No
    • Important
    • 1
    • rhel-security-crypto
    • 23
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto25July
      1. rpm verifies packages with both (correct) PQ and RSA signatures
      2. rpm fails verification if either PQ or RSA signature key is not trusted
      3. rpm fails verification if both PQ and RSA signature is corrupted
    • Pass
    • Automated
    • Feature
    • Hide
      Feature, enhancement: Add support for Post Quantum Cryptography
      Reason: To support CNSA 2.0, we need to sign and verify software using PQC algorithms.
      Result: The updated Sequoia-PGP tools support PQC and can be used to sign and verify (not only) software in RHEL
      Show
      Feature, enhancement: Add support for Post Quantum Cryptography Reason: To support CNSA 2.0, we need to sign and verify software using PQC algorithms. Result: The updated Sequoia-PGP tools support PQC and can be used to sign and verify (not only) software in RHEL
    • Proposed
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      rpm-sequoia can not handle PQC keys and OpenPGP v6 keys in general

      What is the impact of this issue to you?

      We can not verify PQC OpenPGP v6 signatures on RPMs required by CNSA 2.0

      Please provide the package NVR for which the bug is seen:

      rpm-sequoia-1.6.0

      How reproducible is this bug?:

      always

      Steps to reproduce

      1. Install rpm-sequoia (installed by default)
      2. try to verify RPM signature signed with OpenPGP v6 keys (for example one from rust-sequoia-sq/Sanity/Signing-rpm test)
      3. rpmkeys -Kv /tmp/hello-2.0-1.x86_64.rpm

      Expected results

      ...
      Header OpenPGP V6 Ed25519/SHA512 signature, key fingerprint: 036824f0ac60aed6f1a3256f88190469f6d7255e3d8e41c577233aa03e0bb9d3: OK

      Actual results

      ...
      Header OpenPGP V6 Ed25519/SHA512 signature, key ID 0e00df3ed2d7b65e: BAD

              jjelen@redhat.com Jakub Jelen
              jjelen@redhat.com Jakub Jelen
              Jakub Jelen Jakub Jelen
              Stanislav Zidek Stanislav Zidek
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: