Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: Generate New Ti...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: rhel-9.7
Affects Version/s: rhel-9.7
Component/s: crypto-policies
Labels:
- Accepted
- CY25Q3
- rn-yml

Fixed in Build:
crypto-policies-20250905-1.git377cc42.el9_7
Regression:
No
Severity:
Moderate
Epic Link:
CRYPTO-17826
sprint_count:
1

AssignedTeam:
rhel-security-crypto-spades

Internal Target Milestone:
30
Story Points:
0.5
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
Crypto25September
Release Blocker:
Approved Exception

Acceptance Criteria:

Hide

AC) MLKEM/MLDSA algorithms are allowed in all rpm-sequoia policies

Show
AC) MLKEM/MLDSA algorithms are allowed in all rpm-sequoia policies
Preliminary Testing:
Requested
Errata Link:
https://errata.devel.redhat.com/advisory/150605
Gating Tests:

Enabled
Test Coverage:

Automated

Release Note Type:
Known Issue
Release Note Text:

Hide
.PQC for `rpm-sequoia` is always enabled in `crypto-policies`

In RHEL 10.1, the `rpm-sequoia` fails to verify dual-signed RPM packages if one of the algorithms used for signing is disabled in system-wide cryptographic policies. This problem is common on systems that have post-quantum (PQ) algorithms disabled and cannot install packages signed with both classic and PQ cryptography.

To prevent breaking the system, the enablement of PQ algorithms for `rpm-sequoia` is hardcoded on the `crypto-policies` level. As a result, PQ algorithms for `rpm-sequoia` are enabled regardless of any settings in `crypto-policies`.

Show
.PQC for `rpm-sequoia` is always enabled in `crypto-policies` In RHEL 10.1, the `rpm-sequoia` fails to verify dual-signed RPM packages if one of the algorithms used for signing is disabled in system-wide cryptographic policies. This problem is common on systems that have post-quantum (PQ) algorithms disabled and cannot install packages signed with both classic and PQ cryptography. To prevent breaking the system, the enablement of PQ algorithms for `rpm-sequoia` is hardcoded on the `crypto-policies` level. As a result, PQ algorithms for `rpm-sequoia` are enabled regardless of any settings in `crypto-policies`.
Release Note Status:
Done
ProdDocsReview-CCS:
Done
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

With current behaviour of RHEL-9.7 pqrpm, verification of dual-signed RPM packages fails if some of the algorithms is disabled in crypto-policies.

To prevent breaking the system, we need to enable PQ algorithms in all rpm-sequoia crypto policies before the proper fix is introduced (see the epic for high level plan).

blocks

RHEL-112701 remove workaround for allowing PQ signatures in all rpm-sequoia crypto-policies (RHEL-9)

Planning

links to

RHBA-2025:150605 crypto-policies bug fix and enhancement update

Assignee:: Alexander Sosedkin

Reporter:: Stanislav Zidek

Developer:: Alexander Sosedkin

QA Contact:: Ondrej Moris

Doc Contact:: Mirek Jahoda

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2025/09/03 1:02 PM

Updated:: 2025/11/11 11:24 AM

Resolved:: 2025/11/11 11:24 AM

Target end:: 2025/09/22

Next Planned Release Date:: 2025/11/11

Release Date:: 2025/11/11

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates