Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-112730

Ignore signatures made with unsupported/disabled algorithms

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • rhel-10.1
    • dnf
    • None
    • rhel-swm
    • 8
    • Dev ack
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Hide

      Providing a key verification is enabled for given repository and a package being correctly signed with the keys:

      • Installing that package which have a single signature and the signature algorithm is disabled in global crypto policy will cause DNF to reject that package.
      • Installing that package which have multiple signatures and some of the algorithms are enabled and some are disabled will let DNF to accept that package.
      Show
      Providing a key verification is enabled for given repository and a package being correctly signed with the keys: Installing that package which have a single signature and the signature algorithm is disabled in global crypto policy will cause DNF to reject that package. Installing that package which have multiple signatures and some of the algorithms are enabled and some are disabled will let DNF to accept that package.
    • None
    • New Test Coverage
    • Bug Fix
    • Hide
      Cause: Installing a package whose some signature algorithms are not supported, yet other signatures are valid and use supported algorightms
      Consequence: DNF rejected that package when verifying its signatures.
      Fix: DNF was changed to ignore signatures classified as NOTFOUND in rpmkeys output.
      Result: DNF can install packages which use a mix of supported and unsupported signing algorithms.
      Show
      Cause: Installing a package whose some signature algorithms are not supported, yet other signatures are valid and use supported algorightms Consequence: DNF rejected that package when verifying its signatures. Fix: DNF was changed to ignore signatures classified as NOTFOUND in rpmkeys output. Result: DNF can install packages which use a mix of supported and unsupported signing algorithms.
    • Proposed
    • Unspecified
    • Unspecified
    • Unspecified
    • All
    • None

      rpmkeys is going to ignore signatures made with unsupported algorithms. These signatures are reported with "NOTFOUND" keyword in rpmkeys output.

      DNF now handles NOTFOUND as "the package is not signed". With the advent of multiple signatures and your explanation, DNF will need to handle it as "the package has an unsupported signature" and count OK signatures to distinguish various cases. Or start ignoring NOTFOUND and handling exit code 1.

              rhn-support-ppisar Petr Pisar
              rhn-support-ppisar Petr Pisar
              packaging-team-maint packaging-team-maint
              Software Management QE Software Management QE
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: