Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-145372

multisig plugin: Ignore signatures made with unsupported/disabled algorithms

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • dnf-plugins-core-4.3.0-26.el9
    • None
    • Important
    • rhel-swm
    • 25
    • 26
    • None
    • Dev ack
    • False
    • False
    • Hide

      Required adjustments for pqrm component have not yet been implemented and no pqrpm issue exists for their implementation yet.

      Show
      Required adjustments for pqrm component have not yet been implemented and no pqrpm issue exists for their implementation yet.
    • Yes
    • None
    • Hide

      Provided python3-dnf-plugin-multisig is installed, a signature verification is enabled for given repository and a package being correctly signed with the keys:

      • Installing that package which have a single signature and the signature algorithm is disabled in global crypto policy will cause DNF to reject that package.

      *Installing that package which have multiple signatures and some of the algorithms are enabled and some are disabled will let DNF to accept that package.

      Show
      Provided python3-dnf-plugin-multisig is installed, a signature verification is enabled for given repository and a package being correctly signed with the keys: Installing that package which have a single signature and the signature algorithm is disabled in global crypto policy will cause DNF to reject that package. *Installing that package which have multiple signatures and some of the algorithms are enabled and some are disabled will let DNF to accept that package.
    • Pass
    • New Test Coverage
    • Bug Fix
    • Hide
      `multisig` no longer fails to install packages that use both supported and unsupported RPMv6 signing algorithms::
      Before this update, you could not install packages with signatures that used both supported and unsupported RPMv6 package signing algorithms. As a consequence, DNF rejected such packages when verifying their signatures because of the unsupported algorithms. With this update, the DNF `multisig` plugin ignores signatures classified as `NOTTRUSTED` in the `rpmkeys` command output. As a result, `multisig` can install packages that use both supported and unsupported signing algorithms.
      Show
      `multisig` no longer fails to install packages that use both supported and unsupported RPMv6 signing algorithms:: Before this update, you could not install packages with signatures that used both supported and unsupported RPMv6 package signing algorithms. As a consequence, DNF rejected such packages when verifying their signatures because of the unsupported algorithms. With this update, the DNF `multisig` plugin ignores signatures classified as `NOTTRUSTED` in the `rpmkeys` command output. As a result, `multisig` can install packages that use both supported and unsupported signing algorithms.
    • Done
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      pqrm's rpmkeys tool is going to ignore signatures made with unsupported algorithms. These signatures will be reported as NOTTRUSTED. The DNF multisig plugin needs to accommodate.

              rhn-support-ppisar Petr Pisar
              rhn-support-ppisar Petr Pisar
              packaging-team-maint packaging-team-maint
              Jan Blazek Jan Blazek
              Mariya Pershina Mariya Pershina
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: