You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This came up while discussing obsolete algorithms in OpenPGP signatures but applies to other aspects of rpm too:
The enforcing package verification introduced in 4.14.2 should additionally support configurable policy for allowed algorithms (both on plain hashes and signatures). This way, old packages with weak algorithms can still be queried, the hashes and signatures can still be verified (a negative result from verification is a red flag even from a weak algo) but to be installable (and pass signature checking), those data need to be considered trustworthy (ie non-weak algorithms used).
Crypto libraries may have some ways to query appropriate settings (but dunno), additionally there should be macro overrides.
The text was updated successfully, but these errors were encountered:
This came up while discussing obsolete algorithms in OpenPGP signatures but applies to other aspects of rpm too:
The enforcing package verification introduced in 4.14.2 should additionally support configurable policy for allowed algorithms (both on plain hashes and signatures). This way, old packages with weak algorithms can still be queried, the hashes and signatures can still be verified (a negative result from verification is a red flag even from a weak algo) but to be installable (and pass signature checking), those data need to be considered trustworthy (ie non-weak algorithms used).
Crypto libraries may have some ways to query appropriate settings (but dunno), additionally there should be macro overrides.
The text was updated successfully, but these errors were encountered: