Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-111245

rpm --import mldsa87.pub fails in FIPS (crypto-policies)

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • crypto-policies-20250905-1.gitc7eb7b2.el10_1
    • No
    • Moderate
    • ZStream
    • 1
    • rhel-security-crypto-spades
    • 31
    • 2
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • Crypto25September
    • Approved Blocker
    • Unspecified Release Note Type - Unknown
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      In FIPS mode, RPM is not able to import MLDSA-87 public key, therefore verification of RPMs will start failing once we ship dual-signed packages.

      Reproducer: https://gitlab.com/redhat/rhel/tests/rust-rpm-sequoia/-/tree/48a463b8fb48a49c901d54c4bfc426525c53b32e/Integration/rpm-before-RHEL10

      The relevant fix in rpm-sequoia will be in RHEL-110994, but without enabling these algorithms in crypto policies, it will not work.

      I think the scope should be basically revert of the following MR we did couple of months back:

      https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/253

      (we can consider enabling only the `MLDSA87-ED448` though, as it is the one required for CNSA 2.0.

              asosedki@redhat.com Alexander Sosedkin
              szidek@redhat.com Stanislav Zidek
              Alexander Sosedkin Alexander Sosedkin
              Ondrej Moris Ondrej Moris
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: