The use of SHA-1 in RHEL9 is deprecated. This package has been found to implement and/or use SHA-1. If possible, please attempt to resolve this issue before the RHEL-9 beta deadline. See below for details.

The use of SHA-1 is no longer permitted for Digital Signatures or authentication. There are a few exceptions to this rule, such as for some legacy protocols. These restrictions are enforced by the system wide crypto policies in RHEL-9, provided the core set of validated crypto libraries such as openssl, nss or gnutls, are used.

To avoid your package from breaking due to SHA-1 being disabled via the System Wide Crypto Policies, please ensure that the use of SHA-1 is disabled where-ever possible. If this is not possible, please explain why this is the case.

• If SHA-1 is used for Digital Signatures or authentication, where possible replace it with SHA-2. If this is not possible, please contact the rhel-crypto team.
• If SHA-1 is used for signatures, ensure to only use it for signature validation. Prevent the code from generating new SHA-1 based signatures.
• If SHA-1 is part of any default configuration list of hashing methods, please remove it from the default configuration list. Add SHA-2 if there would otherwise be no defaults left.
• If SHA-1 is used for any other purpose, such as generating unique object IDs, switch to SHA-2 when possible. If this is not possible, attempt to limit the creation of further SHA-1
  based identifiers and only use SHA-1 to consume existing object identifiers. This will make it easier to remove SHA-1 in the future.
• If this package implements DNSSEC validation code, please ensure that a failure of SHA-1 results in "insecure DNS answers" and does not fail using ServFail.
• If this package requires SHA-1 for Digital Signature verification, please create a documentation file (eg README-SHA1.md) with documentation to assist the rhel-crypto team in future reviews.
  For example, a mail program that wants to be able to validate emails sent 10 years would need to be able to keep using SHA-1
• If your package uses a protocol that dictates the use of SHA-1 for Signature validation or authentication, and there is no standarized alternative, please contact the rhel-crypto team for an exception.
• Note that all of these recommendations for SHA-1 also apply to MD5. Feel free to apply the SHA-1 rules to any MD5 implementation or usage that is implemented or used as well.

For any further questions, please contact the RHEL crypto team at rhel-crypto@redhat.com

Package specific details:

• Contains SHA-1 implementation
• Many uses of SHA-1 including providing it in generic hash API