|
 |
6cc3d3 |
From b05f4589e4afb69240ae2001246a5ffb5d6b1b90 Mon Sep 17 00:00:00 2001
|
|
|
6cc3d3 |
From: Aleš Matěj <amatej@redhat.com>
|
|
|
6cc3d3 |
Date: Thu, 3 Jun 2021 11:23:31 +0200
|
|
|
6cc3d3 |
Subject: [PATCH] Lower _pkgverify_level to signature for signature checking with rpmkeys
|
|
|
6cc3d3 |
|
|
|
6cc3d3 |
We don't want to be veryfing digests as well when checking signatures.
|
|
|
6cc3d3 |
It would break legacy package installation in FIPS mode due to MD5
|
|
|
6cc3d3 |
digest being unverifiable (see https://access.redhat.com/solutions/5221661)
|
|
|
6cc3d3 |
|
|
|
6cc3d3 |
Follow up for https://github.com/rpm-software-management/dnf/pull/1753
|
|
|
6cc3d3 |
---
|
|
|
6cc3d3 |
dnf/rpm/miscutils.py | 7 +++----
|
|
|
6cc3d3 |
1 file changed, 3 insertions(+), 4 deletions(-)
|
|
|
6cc3d3 |
|
|
|
6cc3d3 |
diff --git a/dnf/rpm/miscutils.py b/dnf/rpm/miscutils.py
|
|
|
6cc3d3 |
index 9d5b286..46ef475 100644
|
|
|
6cc3d3 |
--- a/dnf/rpm/miscutils.py
|
|
|
6cc3d3 |
+++ b/dnf/rpm/miscutils.py
|
|
|
6cc3d3 |
@@ -66,11 +66,10 @@ def _verifyPackageUsingRpmkeys(package, installroot):
|
|
|
6cc3d3 |
_logger.critical(_('Cannot find rpmkeys executable to verify signatures.'))
|
|
|
6cc3d3 |
return 2
|
|
|
6cc3d3 |
|
|
|
6cc3d3 |
- # "--define=_pkgverify_level all" enforces signature checking;
|
|
|
6cc3d3 |
- # "--define=_pkgverify_flags 0x0" ensures that all signatures and digests
|
|
|
6cc3d3 |
- # are checked.
|
|
|
6cc3d3 |
+ # "--define=_pkgverify_level signature" enforces signature checking;
|
|
|
6cc3d3 |
+ # "--define=_pkgverify_flags 0x0" ensures that all signatures are checked.
|
|
|
6cc3d3 |
args = ('rpmkeys', '--checksig', '--root', installroot, '--verbose',
|
|
|
6cc3d3 |
- '--define=_pkgverify_level all', '--define=_pkgverify_flags 0x0',
|
|
|
6cc3d3 |
+ '--define=_pkgverify_level signature', '--define=_pkgverify_flags 0x0',
|
|
|
6cc3d3 |
'-')
|
|
|
6cc3d3 |
with subprocess.Popen(
|
|
|
6cc3d3 |
args=args,
|
|
|
6cc3d3 |
--
|
|
|
6cc3d3 |
libgit2 1.0.1
|
|
|
6cc3d3 |
|