Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: rhel-10.1
Affects Version/s: rhel-10.1, rhel-9.7
Component/s: crypto-policies
Labels:
- Accepted
- CY25Q3
- Committed
- rn-yml

Fixed in Build:
crypto-policies-20250714-1.git95bf40e.el10
Regression:
No
Severity:
Low
Epic Link:
CRYPTO-16330
sprint_count:
1

AssignedTeam:
rhel-security-crypto

Dev Target Milestone:
21
Internal Target Milestone:
26
Story Points:
0.5
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
Crypto25August

Acceptance Criteria:

Hide

AC1) sequoia-policy-config from https://gitlab.com/sequoia-pgp/sequoia-policy-config/ validates the config

AC2) FIPS policy enables none of the "mlkem768-x25519", "mlkem1024-x448", "mldsa65-ed25519" or "mldsa87-ed448" for both sequoia and rpm-sequoia configs, lists them under ignore_invalid

AC3)All policies other than FIPS enable "mlkem768-x25519", "mlkem1024-x448", "mldsa65-ed25519" and "mldsa87-ed448" for both sequoia and rpm-sequoia configs, lists them under ignore_invalid

Show
AC1) sequoia-policy-config from https://gitlab.com/sequoia-pgp/sequoia-policy-config/ validates the config AC2) FIPS policy enables none of the "mlkem768-x25519", "mlkem1024-x448", "mldsa65-ed25519" or "mldsa87-ed448" for both sequoia and rpm-sequoia configs, lists them under ignore_invalid AC3)All policies other than FIPS enable "mlkem768-x25519", "mlkem1024-x448", "mldsa65-ed25519" and "mldsa87-ed448" for both sequoia and rpm-sequoia configs, lists them under ignore_invalid
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/148296
Gating Tests:

Not Needed
Test Coverage:

Automated

Release Note Type:
Enhancement
Release Note Text:

Hide
Feature, enhancement:
Reason:
Result:

Show
Feature, enhancement: Reason: Result:
Release Note Status:
Proposed
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

The sequoia follows crypto policies and without updating them, it will not be able to use the new PQ algorithms for signing, verification, encryption ...

What is the impact of this issue to you?

Inability to use PQC from sequoia tools and verify PQC signatures or RPMs.

Please provide the package NVR for which the bug is seen:

Tested with pre-release sequoia tools.

How reproducible is this bug?:

always

Steps to reproduce

Attempt to sign with sequoia using PQC

Expected results

Signature is performed

Actual results

Sequoia reports the PQC key is not signing capable.

The change has already landed in upstream:

https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/251

is cloned by

RHEL-103786 Update crypto policies to support PQC in rpm-sequoia [rhel-9]

Release Pending

links to

RHBA-2025:148296 crypto-policies bug fix and enhancement update

Assignee:: Alexander Sosedkin

Reporter:: Jakub Jelen

Developer:: Alexander Sosedkin

QA Contact:: Ondrej Moris

Doc Contact:: Mirek Jahoda

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2025/06/20 9:51 AM

Updated:: 2025/09/15 12:19 PM

Dev Target end:: 2025/07/21

Target end:: 2025/08/25

Next Planned Release Date:: 2025/11/11

Details

Description

What were you trying to do that didn't work?

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide