From 48546ffc0a3f3eb15bfd439a19fc9722eaea592f Mon Sep 17 00:00:00 2001

From: Florian Festi <ffesti@redhat.com>

Date: Tue, 28 Jun 2022 12:50:54 +0200

Subject: [PATCH] Give warning on not supported hash for RSA keys

This can happen when old keys are used on systems that have disabled SHA1

e.g. for FIPS requirements.

This is less than ideal but there is currently no way to pass a meaningful

error code up to rpmtsImportPubkey. rpmPubkeyNew just returns a valid key

or NULL.

See rhbz#2069877

---

 rpmio/digest_openssl.c | 2 ++

 1 file changed, 2 insertions(+)

diff --git a/rpmio/digest_openssl.c b/rpmio/digest_openssl.c

index a28a13acc..2ec5140f1 100644

--- a/rpmio/digest_openssl.c

+++ b/rpmio/digest_openssl.c

@@ -4,6 +4,7 @@

 #include <openssl/rsa.h>

 #include <openssl/dsa.h>

 #include <rpm/rpmpgp.h>

+#include <rpm/rpmlog.h>

 #include "rpmio/digest.h"

@@ -483,6 +484,7 @@ static int pgpVerifySigRSA(pgpDigAlg pgpkey, pgpDigAlg pgpsig,

     ret = EVP_PKEY_CTX_set_signature_md(pkey_ctx, getEVPMD(hash_algo));

     if (ret < 0) {

+	rpmlog(RPMLOG_WARNING, "Signature not supported. Hash algorithm %s not available.\n", pgpValString(PGPVAL_HASHALGO, hash_algo));

         rc = 1;

         goto done;

     }

-- 

2.36.1