On Tue, May 31, 2022 at 08:59:28AM +0200, Petr Pisar wrote:
V Tue, May 31, 2022 at 08:07:57AM +0200, Alexander Sosedkin
napsal(a):
> On Mon, May 30, 2022 at 10:34 PM Garry T. Williams <gtwilliams(a)gmail.com>
wrote:
> > On Friday, April 29, 2022 5:49:05 PM EDT Ben Cotton wrote:
> > > Cryptographic policies will be tightened in Fedora 38-39,
> > > SHA-1 signatures will no longer be trusted by default.
> > > Fedora 37 specifically doesn't come with any change of defaults,
> > > and this Fedora Change is an advance warning filed for extra visibility.
> > > Test your setup with FUTURE today and file bugs so you won't get bit
> > > by Fedora 38-39.
> > >
> > After looking in
> > /usr/share/crypto-policies/policies/modules, I tried again with:
> >
> > $ sudo update-crypto-policies --set FUTURE:SHA1
> > Setting system policy to FUTURE:SHA1
> >
> > But that didn't get me back. I got the same error doing dnf upgrade.
> >
> > I had to do:
> >
> > $ sudo update-crypto-policies --set DEFAULT
> >
> > to get back to dnf working again.
> >
> > > file bug reports against the affected components if not filed already.
> >
> > I really don't know what "component" to use filing a bug.
>
> Yeah, that seems like a case when
> the service administrator is the one to be notified.
Reported to <
https://pagure.io/fedora-infrastructure/issue/10737>. The real
cause is not SHA-1. It's a 2048-bit RSA key of an intermediate certificate.
Right. This has been reported before:
https://bugzilla.redhat.com/show_bug.cgi?id=1832292
As far as I can tell, we can't get a digicert cert that doesn't use
2048bit CA or intermediate. I think they do offer better/different, but
those are reserved for the EV certs which require a bunch of validation
of your business (which fedoraproject isn't).
We might be able to replace it with a letsencrypt cert, I've not looked
to see if they have moved to a higher bit CA/intermediate yet.
But even with that, do note that lots and lots and lots of other
websites will not work at all either, so I don't think setting FUTURE
is too great a experence right now. ;(
kevin