dnf/SOURCES/0005-Lower-_pkgverify_level...

From 185330e5d5f5e07f40ed08c706fd997abffd5e78 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= <amatej@redhat.com>
Date: Thu, 3 Jun 2021 11:23:31 +0200
Subject: [PATCH] Lower _pkgverify_level to signature for signature checking
 with rpmkeys

We don't want to be veryfing digests as well when checking signatures.
It would break legacy package installation in FIPS mode due to MD5
digest being unverifiable (see https://access.redhat.com/solutions/5221661)

Follow up for https://github.com/rpm-software-management/dnf/pull/1753
---
 dnf/rpm/miscutils.py | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/dnf/rpm/miscutils.py b/dnf/rpm/miscutils.py
index 9d5b2860..46ef4754 100644
--- a/dnf/rpm/miscutils.py
+++ b/dnf/rpm/miscutils.py
@@ -66,11 +66,10 @@ def _verifyPackageUsingRpmkeys(package, installroot):
         _logger.critical(_('Cannot find rpmkeys executable to verify signatures.'))
         return 2
 
-    # "--define=_pkgverify_level all" enforces signature checking;
-    # "--define=_pkgverify_flags 0x0" ensures that all signatures and digests
-    # are checked.
+    # "--define=_pkgverify_level signature" enforces signature checking;
+    # "--define=_pkgverify_flags 0x0" ensures that all signatures are checked.
     args = ('rpmkeys', '--checksig', '--root', installroot, '--verbose',
-            '--define=_pkgverify_level all', '--define=_pkgverify_flags 0x0',
+            '--define=_pkgverify_level signature', '--define=_pkgverify_flags 0x0',
             '-')
     with subprocess.Popen(
             args=args,
-- 
2.35.1
import dnf-4.7.0-10.el8 2022-05-27 00:10:35 +00:00			`From 185330e5d5f5e07f40ed08c706fd997abffd5e78 Mon Sep 17 00:00:00 2001`
			`From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= <amatej@redhat.com>`
import dnf-4.7.0-3.el8 2021-08-24 22:25:19 +00:00			`Date: Thu, 3 Jun 2021 11:23:31 +0200`
import dnf-4.7.0-10.el8 2022-05-27 00:10:35 +00:00			`Subject: [PATCH] Lower _pkgverify_level to signature for signature checking`
			`with rpmkeys`
import dnf-4.7.0-3.el8 2021-08-24 22:25:19 +00:00
			`We don't want to be veryfing digests as well when checking signatures.`
			`It would break legacy package installation in FIPS mode due to MD5`
			`digest being unverifiable (see https://access.redhat.com/solutions/5221661)`

			`Follow up for https://github.com/rpm-software-management/dnf/pull/1753`
			`---`
			`dnf/rpm/miscutils.py \| 7 +++----`
			`1 file changed, 3 insertions(+), 4 deletions(-)`

			`diff --git a/dnf/rpm/miscutils.py b/dnf/rpm/miscutils.py`
import dnf-4.7.0-10.el8 2022-05-27 00:10:35 +00:00			`index 9d5b2860..46ef4754 100644`
import dnf-4.7.0-3.el8 2021-08-24 22:25:19 +00:00			`--- a/dnf/rpm/miscutils.py`
			`+++ b/dnf/rpm/miscutils.py`
			`@@ -66,11 +66,10 @@ def _verifyPackageUsingRpmkeys(package, installroot):`
			`_logger.critical(_('Cannot find rpmkeys executable to verify signatures.'))`
			`return 2`

			`- # "--define=_pkgverify_level all" enforces signature checking;`
			`- # "--define=_pkgverify_flags 0x0" ensures that all signatures and digests`
			`- # are checked.`
			`+ # "--define=_pkgverify_level signature" enforces signature checking;`
			`+ # "--define=_pkgverify_flags 0x0" ensures that all signatures are checked.`
			`args = ('rpmkeys', '--checksig', '--root', installroot, '--verbose',`
			`- '--define=_pkgverify_level all', '--define=_pkgverify_flags 0x0',`
			`+ '--define=_pkgverify_level signature', '--define=_pkgverify_flags 0x0',`
			`'-')`
			`with subprocess.Popen(`
			`args=args,`
import dnf-4.7.0-10.el8 2022-05-27 00:10:35 +00:00			`--`
			`2.35.1`
import dnf-4.7.0-3.el8 2021-08-24 22:25:19 +00:00