From 00a583016dbeacdbe0839f5bf4d7322bef4cdd7d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Thu, 31 Mar 2022 15:00:40 +0200
Subject: [PATCH] Disable altogether SHA-1 support

Crypto policy DEFAULT and FIPS would never pass on any name signed by
RSASHA1 or under such zone. Make all those signatures insecure
regardless on policy. It would make it insecure even in cases where it
were not mandatory, but would not fail with SERVFAIL in any
crypto-policy setting.

Resolves: rhbz#2070495
---
 unbound.spec | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/unbound.spec b/unbound.spec
index e07bbea..172744a 100644
--- a/unbound.spec
+++ b/unbound.spec
@@ -37,7 +37,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.13.1
-Release: 12%{?extra_version:.%{extra_version}}%{?dist}
+Release: 13%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://nlnetlabs.nl/projects/unbound/
 Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
@@ -213,7 +213,7 @@ cp -a %{dir_primary} %{dir_secondary}
             --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\
             --enable-sha2 --disable-gost --enable-ecdsa \\\
             --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\
-            --enable-linux-ip-local-port-range
+            --enable-linux-ip-local-port-range --disable-sha1
 
 pushd %{dir_primary}
 
@@ -463,6 +463,9 @@ popd
 %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
 
 %changelog
+* Thu Mar 31 2022 Petr Menšík <pemensik@redhat.com> - 1.13.1-13
+- Disable SHA-1 support (#2070495)
+
 * Fri Feb 11 2022 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-12
 - Fixed error in the patch
 - Resolves: rhbz#1977401