dnf/SOURCES/0005-Lower-_pkgverify_level-to-signature-for-signature-ch.patch

38 lines
1.6 KiB
Diff
Raw Permalink Normal View History

2022-11-08 06:57:27 +00:00
From 185330e5d5f5e07f40ed08c706fd997abffd5e78 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= <amatej@redhat.com>
2021-11-09 09:55:53 +00:00
Date: Thu, 3 Jun 2021 11:23:31 +0200
2022-11-08 06:57:27 +00:00
Subject: [PATCH] Lower _pkgverify_level to signature for signature checking
with rpmkeys
2021-11-09 09:55:53 +00:00
We don't want to be veryfing digests as well when checking signatures.
It would break legacy package installation in FIPS mode due to MD5
digest being unverifiable (see https://access.redhat.com/solutions/5221661)
Follow up for https://github.com/rpm-software-management/dnf/pull/1753
---
dnf/rpm/miscutils.py | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/dnf/rpm/miscutils.py b/dnf/rpm/miscutils.py
2022-11-08 06:57:27 +00:00
index 9d5b2860..46ef4754 100644
2021-11-09 09:55:53 +00:00
--- a/dnf/rpm/miscutils.py
+++ b/dnf/rpm/miscutils.py
@@ -66,11 +66,10 @@ def _verifyPackageUsingRpmkeys(package, installroot):
_logger.critical(_('Cannot find rpmkeys executable to verify signatures.'))
return 2
- # "--define=_pkgverify_level all" enforces signature checking;
- # "--define=_pkgverify_flags 0x0" ensures that all signatures and digests
- # are checked.
+ # "--define=_pkgverify_level signature" enforces signature checking;
+ # "--define=_pkgverify_flags 0x0" ensures that all signatures are checked.
args = ('rpmkeys', '--checksig', '--root', installroot, '--verbose',
- '--define=_pkgverify_level all', '--define=_pkgverify_flags 0x0',
+ '--define=_pkgverify_level signature', '--define=_pkgverify_flags 0x0',
'-')
with subprocess.Popen(
args=args,
2022-11-08 06:57:27 +00:00
--
2.35.1
2021-11-09 09:55:53 +00:00