On Mon, May 30, 2022 at 10:34 PM Garry T. Williams <gtwilliams(a)gmail.com> wrote:
On Friday, April 29, 2022 5:49:05 PM EDT Ben Cotton wrote:
> Cryptographic policies will be tightened in Fedora 38-39,
> SHA-1 signatures will no longer be trusted by default.
> Fedora 37 specifically doesn't come with any change of defaults,
> and this Fedora Change is an advance warning filed for extra visibility.
> Test your setup with FUTURE today and file bugs so you won't get bit
> by Fedora 38-39.
[snip]
In case you want some feedback,
Thank you for taking time to do that.
> Install crypto-policies-scripts package and switch to a more
restrictive policy
> with either `update-crypto-policies --set FUTURE`
> or `update-crypto-policies --set TEST-FEDORA39`.
>
> Proceed to use the system as usual,
> identify the workflows which are broken by this change.
I did that and several days later I did:
$ sudo dnf upgrade --enablerepo=updates-testing
Errors during downloading metadata for repository 'fedora':
- Curl error (60): SSL peer certificate or SSH remote key was not OK for
https://mirrors.fedoraproject.org/metalink?repo=fedora-36&arch=x86_64...
[SSL certificate problem: CA certificate key too weak]
- Curl error (60): SSL peer certificate or SSH remote key was not OK for
https://mirrors.fedoraproject.org/metalink?repo=fedora-36&arch=x86_64 [SSL certificate
problem: CA certificate key too weak]
Error: Failed to download metadata for repo 'fedora': Cannot prepare internal
mirrorlist: Curl error (60): SSL peer certificate or SSH remote key was not OK for
https://mirrors.fedoraproject.org/metalink?repo=fedora-36&arch=x86_64 [SSL certificate
problem: CA certificate key too weak]
> Verify that the broken functionality works again
> if you the policy is relaxed back
> with, e.g., `update-crypto-policies --set FUTURE:SHA-1`,
This was a problem:
$ sudo update-crypto-policies --set FUTURE:SHA-1
Unknown policy `SHA-1`: file `SHA-1.pmod` not found in (., policies/modules,
/etc/crypto-policies/policies/modules, /usr/share/crypto-policies/policies/modules)
That seems like a typo.
Indeed, thanks for spotting. Fixed in two places.
After looking in
/usr/share/crypto-policies/policies/modules, I tried again with:
$ sudo update-crypto-policies --set FUTURE:SHA1
Setting system policy to FUTURE:SHA1
But that didn't get me back. I got the same error doing dnf upgrade.
I had to do:
$ sudo update-crypto-policies --set DEFAULT
to get back to dnf working again.
> file bug reports against the affected components if not filed already.
I really don't know what "component" to use filing a bug.
Yeah, that seems like a case when
the service administrator is the one to be notified.