Blame SOURCES/0005-Lower-_pkgverify_level-to-signature-for-signature-ch.patch

bc72d2
From 185330e5d5f5e07f40ed08c706fd997abffd5e78 Mon Sep 17 00:00:00 2001
bc72d2
From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= <amatej@redhat.com>
6cc3d3
Date: Thu, 3 Jun 2021 11:23:31 +0200
bc72d2
Subject: [PATCH] Lower _pkgverify_level to signature for signature checking
bc72d2
 with rpmkeys
6cc3d3
6cc3d3
We don't want to be veryfing digests as well when checking signatures.
6cc3d3
It would break legacy package installation in FIPS mode due to MD5
6cc3d3
digest being unverifiable (see https://access.redhat.com/solutions/5221661)
6cc3d3
6cc3d3
Follow up for https://github.com/rpm-software-management/dnf/pull/1753
6cc3d3
---
6cc3d3
 dnf/rpm/miscutils.py | 7 +++----
6cc3d3
 1 file changed, 3 insertions(+), 4 deletions(-)
6cc3d3
6cc3d3
diff --git a/dnf/rpm/miscutils.py b/dnf/rpm/miscutils.py
bc72d2
index 9d5b2860..46ef4754 100644
6cc3d3
--- a/dnf/rpm/miscutils.py
6cc3d3
+++ b/dnf/rpm/miscutils.py
6cc3d3
@@ -66,11 +66,10 @@ def _verifyPackageUsingRpmkeys(package, installroot):
6cc3d3
         _logger.critical(_('Cannot find rpmkeys executable to verify signatures.'))
6cc3d3
         return 2
6cc3d3
 
6cc3d3
-    # "--define=_pkgverify_level all" enforces signature checking;
6cc3d3
-    # "--define=_pkgverify_flags 0x0" ensures that all signatures and digests
6cc3d3
-    # are checked.
6cc3d3
+    # "--define=_pkgverify_level signature" enforces signature checking;
6cc3d3
+    # "--define=_pkgverify_flags 0x0" ensures that all signatures are checked.
6cc3d3
     args = ('rpmkeys', '--checksig', '--root', installroot, '--verbose',
6cc3d3
-            '--define=_pkgverify_level all', '--define=_pkgverify_flags 0x0',
6cc3d3
+            '--define=_pkgverify_level signature', '--define=_pkgverify_flags 0x0',
6cc3d3
             '-')
6cc3d3
     with subprocess.Popen(
6cc3d3
             args=args,
bc72d2
-- 
bc72d2
2.35.1
6cc3d3