Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-112392

allow PQ algorithms in all rpm-sequoia crypto-policies

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • crypto-policies-20250905-1.gitc7eb7b2.el10_1
    • No
    • Moderate
    • 1
    • rhel-security-crypto
    • 30
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto25September
    • Approved Exception
    • Hide

      AC) MLKEM/MLDSA algorithms are allowed in all rpm-sequoia policies

      Show
      AC) MLKEM/MLDSA algorithms are allowed in all rpm-sequoia policies
    • Pass
    • Enabled
    • Automated
    • Known Issue
    • Hide
      (this might not be the right Release Note type, for the change itself is a workaround to another component misbehaving)

      Cause: rpm-sequoia currently fails verification of a package unless each and every signature algorithm is trusted
      Consequence: once we start signing RPMs with PQ algorithms, hosts which have them disabled won't be able to install RPMs
      Workaround: we've hardcoded PQ algorithms on for rpm-sequoia on crypto-policies level
      Result: PQ algorithms will be enabled for rpm-sequoia regardless of crypto-policies
      Note also: at some point in the future the change will be reverted, so if one is using custom (sub)policies and wants the algorithms trusted, they should enable them in their custom (sub)policy nonetheless to ensure a smooth future transition
      Show
      (this might not be the right Release Note type, for the change itself is a workaround to another component misbehaving) Cause: rpm-sequoia currently fails verification of a package unless each and every signature algorithm is trusted Consequence: once we start signing RPMs with PQ algorithms, hosts which have them disabled won't be able to install RPMs Workaround: we've hardcoded PQ algorithms on for rpm-sequoia on crypto-policies level Result: PQ algorithms will be enabled for rpm-sequoia regardless of crypto-policies Note also: at some point in the future the change will be reverted, so if one is using custom (sub)policies and wants the algorithms trusted, they should enable them in their custom (sub)policy nonetheless to ensure a smooth future transition
    • Proposed
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      With current behaviour of RHEL-10.1, verification of dual-signed RPM packages fails if some of the algorithms is disabled in crypto-policies. To prevent breaking the system, we need to enable PQ algorithms in all rpm-sequoia crypto policies before the proper fix is introduced (see the epic for high level plan).

              asosedki@redhat.com Alexander Sosedkin
              szidek@redhat.com Stanislav Zidek
              Alexander Sosedkin Alexander Sosedkin
              Ondrej Moris Ondrej Moris
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: