Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-112700

rpm: ignore signatures made by disabled algorithms (RHEL-9)

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • rhel-9.8
    • rhel-9.7
    • pqrpm
    • pqrpm-4.19.1.1-6.el9
    • No
    • Moderate
    • rhel-swm
    • 23
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Hide

      Signature verification should pass if (and only if):

      • at least one good signature is present, and
      • no bad signature is present

      A good signature is one that:

      • Verifies against the package
      • Uses an algorithm that's enabled in the crypto-policies
      • Has a public key (a.k.a. certificate) imported in the rpm keyring (rpmdb by default)

      Note: The above only applies to signature-enforcing mode, that is, when %_pkgverify_level is set to signature or all. The default setting on RHEL is digest.

      Signatures using algorithms disabled in crypto-policies do not count as either good or bad, they are simply ignored when determining the overall verification result. They are still shown as NOTTRUSTED in the rpmkeys output, though.

      More details: https://docs.google.com/document/d/1XMLDgDi6jMPaJNH_vrU5V-BrYbQNs0qmNOnwQBjQE6w/edit?tab=t.0

      Show
      Signature verification should pass if (and only if): at least one good signature is present, and no bad signature is present A good signature is one that: Verifies against the package Uses an algorithm that's enabled in the crypto-policies Has a public key (a.k.a. certificate) imported in the rpm keyring (rpmdb by default) Note: The above only applies to signature-enforcing mode, that is, when %_pkgverify_level is set to signature or all . The default setting on RHEL is digest . Signatures using algorithms disabled in crypto-policies do not count as either good or bad, they are simply ignored when determining the overall verification result. They are still shown as NOTTRUSTED in the rpmkeys output, though. More details: https://docs.google.com/document/d/1XMLDgDi6jMPaJNH_vrU5V-BrYbQNs0qmNOnwQBjQE6w/edit?tab=t.0
    • Pass
    • New Test Coverage
    • Bug Fix
    • Hide
      Cause:
      Consequence:
      Fix:
      Result:
      Show
      Cause: Consequence: Fix: Result:
    • Proposed
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      During package installation, RPM signatures made with algorithms that are disabled or unknown in crypto-policies should be ignored (see the epic for more complete picture).

      Further cases are described in https://docs.google.com/document/d/1XMLDgDi6jMPaJNH_vrU5V-BrYbQNs0qmNOnwQBjQE6w/edit?tab=t.0#heading=h.z4wqfmvf7up7 , but these seem to work well for now.

              mdomonko@redhat.com Michal Domonkos
              szidek@redhat.com Stanislav Zidek
              packaging-team-maint
              packaging-team-maint packaging-team-maint
              Software Management QE Software Management QE
              Mariya Pershina Mariya Pershina
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: