Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-101952

Rebase rpm-sequoia to include PQC and support for OpenPGP v6

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: Generate New Ti...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • rust-rpm-sequoia-1.9.0.1-1.el10
    • No
    • Important
    • 1
    • rhel-security-crypto
    • 23
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto25July
      1. rpm verifies packages with both (correct) PQ and RSA signatures
      2. rpm fails verification if either PQ or RSA signature key is not trusted
      3. rpm fails verification if both PQ and RSA signature is corrupted
    • Pass
    • Automated
    • Feature
    • Hide
      .Sequoia PGP updated to support OpenPGP v6

      With this update, the `sequoia-sq` and `sequoia-sqv` can handle post-quantum cryptography (PQC) keys. The `rpm-sequoia` package newly supports verifications of OpenPGP v6 signatures. As a result, you can use quantum-resistant digital signatures conforming to the Commercial National Security Algorithm Suite (CNSA) 2.0 standard.
      Show
      .Sequoia PGP updated to support OpenPGP v6 With this update, the `sequoia-sq` and `sequoia-sqv` can handle post-quantum cryptography (PQC) keys. The `rpm-sequoia` package newly supports verifications of OpenPGP v6 signatures. As a result, you can use quantum-resistant digital signatures conforming to the Commercial National Security Algorithm Suite (CNSA) 2.0 standard.
    • Done
    • Done
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      rpm-sequoia can not handle PQC keys and OpenPGP v6 keys in general

      What is the impact of this issue to you?

      We can not verify PQC OpenPGP v6 signatures on RPMs required by CNSA 2.0

      Please provide the package NVR for which the bug is seen:

      rpm-sequoia-1.6.0

      How reproducible is this bug?:

      always

      Steps to reproduce

      1. Install rpm-sequoia (installed by default)
      2. try to verify RPM signature signed with OpenPGP v6 keys (for example one from rust-sequoia-sq/Sanity/Signing-rpm test)
      3. rpmkeys -Kv /tmp/hello-2.0-1.x86_64.rpm

      Expected results

      ...
      Header OpenPGP V6 Ed25519/SHA512 signature, key fingerprint: 036824f0ac60aed6f1a3256f88190469f6d7255e3d8e41c577233aa03e0bb9d3: OK

      Actual results

      ...
      Header OpenPGP V6 Ed25519/SHA512 signature, key ID 0e00df3ed2d7b65e: BAD

              jjelen@redhat.com Jakub Jelen
              jjelen@redhat.com Jakub Jelen
              Jakub Jelen Jakub Jelen
              Stanislav Zidek Stanislav Zidek
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: