Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-50218

dnf-4.20.0-4.el10 FTBFS with librepo ≥ 1.18.0-2.el10: FAIL: test_rawkey2infos

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • rhel-10.0.beta
    • rhel-10.0.beta
    • dnf
    • dnf-4.20.0-5.el10
    • None
    • Important
    • sst_cs_software_management
    • ssg_core_services
    • 22
    • 24
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Unspecified Release Note Type - Unknown
    • None

      dnf-4.20.0-4.el10 fails to build in RHEL 10 with librepo ≥ 1.18.0-2.el10 if crypto policy differs from LEGACY:

      # update-crypto-policies --show
DEFAULT
[...]
$ rhpkg --release rhel-10.0 local
1: ======================================================================
1: FAIL: test_rawkey2infos (tests.test_crypto.CryptoTest.test_rawkey2infos)
1: ----------------------------------------------------------------------
1: Traceback (most recent call last):
1:   File "/home/test/rhel/dnf/dnf-4.20.0/tests/test_crypto.py", line 75, in test_rawkey2infos
1:     self.assertEqual(info.userid, 'Dandy Fied <dnf@example.com>')
1: AssertionError: '' != 'Dandy Fied <dnf@example.com>'
1: + Dandy Fied <dnf@example.com>

      The trigger is upgrading librepo from 1.18.0-1.el10.x86_64 to 1.18.0-2.el10.x86_64. That new librepo build started to use rpm-sequoia whose DEFAULT crypto policy disallows SHA-1:

      # grep sha1 /etc/crypto-policies/back-ends/sequoia.config 
sha1.collision_resistance = "never"
sha1.second_preimage_resistance = "never"

      It seems that GnuPG, which was used before, does not respect a global crypto policy.

      The root cause is tests/keys/key.pub PGP key which uses SHA-1 ("digest algo 2"):

      $ gpg --list-packets  tests/keys/key.pub 
# off=0 ctb=99 tag=6 hlen=3 plen=269
:public key packet:
        version 4, algo 1, created 1408534646, expires 0
        pkey[0]: [2048 bits]
        pkey[1]: [17 bits]
        keyid: 24362A8492530C8E
# off=272 ctb=b4 tag=13 hlen=2 plen=28
:user ID packet: "Dandy Fied <dnf@example.com>"
# off=302 ctb=89 tag=2 hlen=3 plen=312
:signature packet: algo 1, keyid 24362A8492530C8E
        version 4, created 1408534646, md5len 0, sigclass 0x13
→       digest algo 2, begin of digest fc 65
        hashed subpkt 2 len 4 (sig created 2014-08-20)
        hashed subpkt 27 len 1 (key flags: 03)
        hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
        hashed subpkt 21 len 5 (pref-hash-algos: 8 2 9 10 11)
        hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
        hashed subpkt 30 len 1 (features: 01)
        hashed subpkt 23 len 1 (keyserver preferences: 80)
        subpkt 16 len 8 (issuer key ID 24362A8492530C8E)
        data: [2048 bits]
# off=617 ctb=b9 tag=14 hlen=3 plen=269
:public sub key packet:
        version 4, algo 1, created 1408534646, expires 0
        pkey[0]: [2048 bits]
        pkey[1]: [17 bits]
        keyid: F9C8AB7D16A32B87
# off=889 ctb=89 tag=2 hlen=3 plen=287
:signature packet: algo 1, keyid 24362A8492530C8E
        version 4, created 1408534646, md5len 0, sigclass 0x18
        digest algo 2, begin of digest 34 bf
        hashed subpkt 2 len 4 (sig created 2014-08-20)
        hashed subpkt 27 len 1 (key flags: 0C)
        subpkt 16 len 8 (issuer key ID 24362A8492530C8E)
        data: [2046 bits]

      A proposed fix is to resign the user identity with a stronger digest algorithm.

            packaging-team-maint packaging-team-maint
            rhn-support-ppisar Petr Pisar
            packaging-team-maint packaging-team-maint
            Martin Banas Martin Banas
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: