For the last 20 years or so, RPM has used a home-grown OpenPGP
parser
for dealing with keys and signatures. That parser is rather infamous
for its limitations and flaws, and especially in recent years has
proven a significant burden to RPM development. In order to improve
security and free developer resources for dealing with RPM's "core
business" instead, RPM upstream is in the process of deprecating the
internal parser in favor of [
https://sequoia-pgp.org/ Sequoia PGP]
based solution written in Rust.
Why are you using a new library written in Rust? Can you not use one of the
existing mature C implementations of OpenPGP? gpgme maybe?
At this point the change is mostly invisible in normal daily use.
Not really, because it makes some packages uninstallable.
- Some old, insecure (MD5/SHA1 based) signatures are rejected (this
is
in line with the stronger crypto settings proposed elsewhere for F38)
Such a hardcoded restriction, without a way for the local administrator to
allow the legacy signatures, is not acceptable.
Kevin Kofler