On Fri, 3 Mar 2023 at 15:56, Ben Cotton <bcotton(a)redhat.com>
wrote:
> 2. crypto-policies — Insecure installed RPMs (like Google Chrome)
> prevent system updates in F38, can't be removed — NEW
> ACTION: Upstream to implement MR #129
>
>
> 2. crypto-policies —
https://bugzilla.redhat.com/show_bug.cgi?id=2170878
> — NEW
> Insecure installed RPMs (like Google Chrome) prevent system updates in
> F38, can't be removed
>
> Some third-party repos (including Google Chrome) that sign packages
> with SHA-1 cannot be uninstalled, which breaks upgrades. This was
> designated a blocker by FESCo. Work is in progress upstream to allow
> RPM to permit SHA-1 in the default policy while third-party repos
> update to a supported hash function:
>
>
https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/129
I think the issue is 'larger' than SHA-1. Google Chrome and some other 3rd
party software seem to be signed with keys which are both SHA1 and DSA
keys. Either one of these would cause the problem with not being able to
update/uninstall/etc and since one is a checksum and the other is an
encryption type need possibly different solutions.
Yes. People are aware of this. Merge request 129 had to go as far as
allowing DSA1024 :(
Zbyszek