dcavalca / rpms / dnf

Forked from rpms/dnf 2 years ago
Clone

Blame SOURCES/0005-Lower-_pkgverify_level-to-signature-for-signature-ch.patch

70e049
From 185330e5d5f5e07f40ed08c706fd997abffd5e78 Mon Sep 17 00:00:00 2001
70e049
From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= <amatej@redhat.com>
239748
Date: Thu, 3 Jun 2021 11:23:31 +0200
70e049
Subject: [PATCH] Lower _pkgverify_level to signature for signature checking
70e049
 with rpmkeys
239748
239748
We don't want to be veryfing digests as well when checking signatures.
239748
It would break legacy package installation in FIPS mode due to MD5
239748
digest being unverifiable (see https://access.redhat.com/solutions/5221661)
239748
239748
Follow up for https://github.com/rpm-software-management/dnf/pull/1753
239748
---
239748
 dnf/rpm/miscutils.py | 7 +++----
239748
 1 file changed, 3 insertions(+), 4 deletions(-)
239748
239748
diff --git a/dnf/rpm/miscutils.py b/dnf/rpm/miscutils.py
70e049
index 9d5b2860..46ef4754 100644
239748
--- a/dnf/rpm/miscutils.py
239748
+++ b/dnf/rpm/miscutils.py
239748
@@ -66,11 +66,10 @@ def _verifyPackageUsingRpmkeys(package, installroot):
239748
         _logger.critical(_('Cannot find rpmkeys executable to verify signatures.'))
239748
         return 2
239748
 
239748
-    # "--define=_pkgverify_level all" enforces signature checking;
239748
-    # "--define=_pkgverify_flags 0x0" ensures that all signatures and digests
239748
-    # are checked.
239748
+    # "--define=_pkgverify_level signature" enforces signature checking;
239748
+    # "--define=_pkgverify_flags 0x0" ensures that all signatures are checked.
239748
     args = ('rpmkeys', '--checksig', '--root', installroot, '--verbose',
239748
-            '--define=_pkgverify_level all', '--define=_pkgverify_flags 0x0',
239748
+            '--define=_pkgverify_level signature', '--define=_pkgverify_flags 0x0',
239748
             '-')
239748
     with subprocess.Popen(
239748
             args=args,
70e049
-- 
70e049
2.35.1
239748