Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tests: Use PGP keys without SHA-1 #2113

Merged
merged 1 commit into from
Jul 24, 2024
Merged

tests: Use PGP keys without SHA-1 #2113

merged 1 commit into from
Jul 24, 2024

Conversation

ppisar
Copy link
Contributor

@ppisar ppisar commented Jul 23, 2024

Tests failed on RHEL 10 where SHA-1 is disabled in a DEFAULT crypto
policy and where librepo is configured to use rpm-sequoia which
respects the crypto policy (in contrast to gpgme):

    1: ======================================================================
    1: FAIL: test_rawkey2infos (tests.test_crypto.CryptoTest.test_rawkey2infos)
    1: ----------------------------------------------------------------------
    1: Traceback (most recent call last):
    1:   File "/home/test/rhel/dnf/dnf-4.20.0/tests/test_crypto.py", line 75, in test_rawkey2infos
    1:     self.assertEqual(info.userid, 'Dandy Fied <[email protected]>')
    1: AssertionError: '' != 'Dandy Fied <[email protected]>'
    1: + Dandy Fied <[email protected]>

The root cause was that tests/keys/key.pub used the SHA-1 digest algorithm.

This patch replaces that key with a 4096-bit RSA key signed using
SHA-384 digest algorithm.

Resolves: https://issues.redhat.com/browse/RHEL-50218

@ppisar
tests: Use PGP keys without SHA-1
a53706f 
Tests failed on RHEL 10 where SHA-1 is disabled in a DEFAULT crypto
policy and where librepo is configured to use rpm-sequoia which
respects the crypto policy (in contrast to gpgme):

1: ======================================================================
1: FAIL: test_rawkey2infos (tests.test_crypto.CryptoTest.test_rawkey2infos)
1: ----------------------------------------------------------------------
1: Traceback (most recent call last):
1:   File "/home/test/rhel/dnf/dnf-4.20.0/tests/test_crypto.py", line 75, in test_rawkey2infos
1:     self.assertEqual(info.userid, 'Dandy Fied <[email protected]>')
1: AssertionError: '' != 'Dandy Fied <[email protected]>'
1: + Dandy Fied <[email protected]>

The root cause was that tests/keys/key.pub used the SHA-1 digest
algorithm.

This patch replaces that key with a 4096-bit RSA key signed using
SHA-384 digest algorithm.

Resolves: https://issues.redhat.com/browse/RHEL-50218
@ppisar
Copy link
Contributor Author

ppisar commented Jul 23, 2024

For you information, Fedora is not affected because it still allows SHA-1 for signing packages.

@dcantrell dcantrell self-requested a review July 23, 2024 19:42
@ppisar ppisar merged commit b23e3fb into rpm-software-management:master Jul 24, 2024
8 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jan-kolarik jan-kolarik jan-kolarik approved these changes

@dcantrell dcantrell dcantrell approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ppisar @dcantrell @jan-kolarik