dcavalca / rpms / dnf

Forked from rpms/dnf 2 years ago
Clone

Blame SOURCES/0005-Lower-_pkgverify_level-to-signature-for-signature-checking-with-rpmkeys.patch

0d2313
From b05f4589e4afb69240ae2001246a5ffb5d6b1b90 Mon Sep 17 00:00:00 2001
0d2313
From: Aleš Matěj <amatej@redhat.com>
0d2313
Date: Thu, 3 Jun 2021 11:23:31 +0200
0d2313
Subject: [PATCH] Lower _pkgverify_level to signature for signature checking with rpmkeys
0d2313
0d2313
We don't want to be veryfing digests as well when checking signatures.
0d2313
It would break legacy package installation in FIPS mode due to MD5
0d2313
digest being unverifiable (see https://access.redhat.com/solutions/5221661)
0d2313
0d2313
Follow up for https://github.com/rpm-software-management/dnf/pull/1753
0d2313
---
0d2313
 dnf/rpm/miscutils.py | 7 +++----
0d2313
 1 file changed, 3 insertions(+), 4 deletions(-)
0d2313
0d2313
diff --git a/dnf/rpm/miscutils.py b/dnf/rpm/miscutils.py
0d2313
index 9d5b286..46ef475 100644
0d2313
--- a/dnf/rpm/miscutils.py
0d2313
+++ b/dnf/rpm/miscutils.py
0d2313
@@ -66,11 +66,10 @@ def _verifyPackageUsingRpmkeys(package, installroot):
0d2313
         _logger.critical(_('Cannot find rpmkeys executable to verify signatures.'))
0d2313
         return 2
0d2313
 
0d2313
-    # "--define=_pkgverify_level all" enforces signature checking;
0d2313
-    # "--define=_pkgverify_flags 0x0" ensures that all signatures and digests
0d2313
-    # are checked.
0d2313
+    # "--define=_pkgverify_level signature" enforces signature checking;
0d2313
+    # "--define=_pkgverify_flags 0x0" ensures that all signatures are checked.
0d2313
     args = ('rpmkeys', '--checksig', '--root', installroot, '--verbose',
0d2313
-            '--define=_pkgverify_level all', '--define=_pkgverify_flags 0x0',
0d2313
+            '--define=_pkgverify_level signature', '--define=_pkgverify_flags 0x0',
0d2313
             '-')
0d2313
     with subprocess.Popen(
0d2313
             args=args,
0d2313
--
0d2313
libgit2 1.0.1
0d2313