Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-112730

dnf: Ignore signatures made with unsupported/disabled algorithms

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • rhel-10.2
    • rhel-10.1
    • dnf
    • No
    • Important
    • rhel-swm
    • 25
    • 26
    • 8
    • Dev ack
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Hide

      Provided a signature verification is enabled for given repository and a package being correctly signed with the keys:

      • Installing that package which have a single signature and the signature algorithm is disabled in global crypto policy will cause DNF to reject that package.
      • Installing that package which have multiple signatures and some of the algorithms are enabled and some are disabled will let DNF to accept that package.
      Show
      Provided a signature verification is enabled for given repository and a package being correctly signed with the keys: Installing that package which have a single signature and the signature algorithm is disabled in global crypto policy will cause DNF to reject that package. Installing that package which have multiple signatures and some of the algorithms are enabled and some are disabled will let DNF to accept that package.
    • None
    • New Test Coverage
    • Bug Fix
    • Hide
      DNF no longer fails to install packages that use both supported and unsupported signing algorithms::
      Before this update, you could not install packages with signatures that used both supported and unsupported package signing algorithms. As a consequence, DNF rejected such packages when verifying their signatures because of the unsupported algorithms. With this update, DNF ignores signatures classified as `NOTTRUSTED` in the `rpmkeys` command output. As a result, DNF can install packages that use both supported and unsupported signing algorithms.
      Show
      DNF no longer fails to install packages that use both supported and unsupported signing algorithms:: Before this update, you could not install packages with signatures that used both supported and unsupported package signing algorithms. As a consequence, DNF rejected such packages when verifying their signatures because of the unsupported algorithms. With this update, DNF ignores signatures classified as `NOTTRUSTED` in the `rpmkeys` command output. As a result, DNF can install packages that use both supported and unsupported signing algorithms.
    • Done
    • Unspecified
    • Unspecified
    • Unspecified
    • All
    • None

      rpmkeys is going to ignore signatures made with unsupported algorithms. These signatures are reported with "NOTFOUND" keyword in rpmkeys output.

      DNF now handles NOTFOUND as "the package is not signed". With the advent of multiple signatures and your explanation, DNF will need to handle it as "the package has an unsupported signature" and count OK signatures to distinguish various cases. Or start ignoring NOTFOUND and handling exit code 1.

      New RPM library now classify those packages as NOTTRUSTED instead of NOTFOUND.

              rhn-support-ppisar Petr Pisar
              rhn-support-ppisar Petr Pisar
              packaging-team-maint packaging-team-maint
              Software Management QE Software Management QE
              Mariya Pershina Mariya Pershina
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: