[Rpm-maint] [rpm-software-management/rpm] Ignore unknown signature algorithms in verification (Issue #4101)
Jakub Jelen
notifications at github.com
Wed Feb 4 18:08:48 UTC 2026
Jakuje left a comment (rpm-software-management/rpm#4101)
I started writing some tests with ML-DSA Keys and signed RPMs that are not supported in Fedora now. Currently, the import of the key fails for me like this:
```
error: Certificate not trusted: Ignoring
Certificate AED054589CBF8584:
Policy rejects AED054589CBF8584: No binding signature at time 2026-02-04T15:25:26Z
error: /data/keys/unknown/rpm.org-v6-mldsa87-test.asc: key 1 import failed.
```
I think this is ok to report the key is not understood by the tooling.
For the RPMs signed with MLDSA + RSA (with rpm-software-management/rpm-sequoia#105) I get the following:
```
/data/RPMS/hello-2.0-1.x86_64-signed-mldsa87.rpm:
Header OpenPGP V4 RSA/SHA512 signature, key fingerprint: 771b18d3d7baa28734333c424344591e1964c5fc: OK
- Header OpenPGP V6 ML-DSA-87+Ed448/SHA512 Signature, key ID db11ab41d7ae9cd3: NOTTRUSTED
+ Header OpenPGP V6 ML-DSA-87+Ed448/SHA512 signature, key ID db11ab41d7ae9cd3: NOKEY
Header SHA256 digest: OK
Payload SHA256 digest: OK
```
The NOKEY response makes the whole verification fail. I think we should want to get NONTRUSTED variant though. ~But the problem (I think) is the crypto policies in this case lists these as known and acceptable (which is probably my fault I included them in Fedora policies before backporting the changes to RHEL):~
~https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/blob/master/tests/outputs/DEFAULT-rpm-sequoia.txt?ref_type=heads#L59~
~We should likely remove them from the crypto policies until we will have this working in sequoia. I tried to remove the algorithm from the crypto policies in test, but it did not change anything. Unfortunately, I did not get any lints in the above output. Do I miss something?~
Edit: Obviously, the sequoia probably does not understand these keys at all so it just ignores them in the policy file and changing it does not make sense. Therefore it looks like the policy check in sequoia accepts unknown algorithms or the logic in rpm-sequoia just keeps it fall through somehow. Will dig into that.
Thoughts?
The changes I tested with are in https://github.com/Jakuje/rpm/commits/tests-untrusted-nokey/
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/4101#issuecomment-3848424401
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/4101/3848424401 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20260204/21a27a65/attachment-0001.htm>
More information about the Rpm-maint
mailing list