[Rpm-maint] [rpm-software-management/rpm] RFE: add configurable algorithm policies to enforcing verification (Issue #1816)

Panu Matilainen notifications at github.com
Wed Nov 3 13:53:19 UTC 2021


This came up while discussing obsolete algorithms in OpenPGP signatures but applies to other aspects of rpm too:

The enforcing package verification introduced in 4.14.2 should additionally support configurable policy for allowed algorithms (both on plain hashes and signatures). This way, old packages with weak algorithms can still be queried, the hashes and signatures can still be verified (a negative result from verification is a red flag even from a weak algo) but to be installable (and pass signature checking), those data need to be considered trustworthy (ie non-weak algorithms used).

Crypto libraries may have some ways to query appropriate settings (but dunno), additionally there should be macro overrides.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1816
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20211103/a0736707/attachment-0001.html>


More information about the Rpm-maint mailing list