Hi everyone, I'm pleased to announce v1.3.0 of the RPM Sequoia crate.
I have published rpm-sequoia on crates.io: https://crates.io/crates/rpm-sequoia You can also fetch version 1.3.0 using the v1.3.0 tag: https://github.com/rpm-software-management/rpm-sequoia/releases/tag/v1.3.0 which I signed: $ git verify-tag v1.3.0 gpg: Signature made Mon Mar 06 16:54:07 2023 +01:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield <n...@walfield.org>" [ultimate] gpg: "Neal H. Walfield <n...@gnupg.org>" gpg: "Neal H. Walfield <n...@pep-project.org>" gpg: "Neal H. Walfield <neal@pep.foundation>" gpg: "Neal H. Walfield <n...@sequoia-pgp.org>" This release includes two notable changes. First, when `pgpVerifySignature` verifies a signature, it now distinguishes between an invalid signature, and one that uses weak cryptography, or is from a certificate that is expired or has been revoked. Specifically, in the case that the signature is okay, but the cryptography is weak or the certificate is invalid, `pgpVerifySignature` now returns `RPMRC_NOTTRUSTED` instead of `RPMRC_FAIL`. This change allows installed packages, which use outdated cryptography or certificates to be updated or removed. Please refer to this comment: https://bugzilla.redhat.com/show_bug.cgi?id=2170878#c8 and this issue: https://github.com/rpm-software-management/rpm/issues/2402 for more details. Second, rpm-sequoia now looks for its configuration file by first checking the environment variable `RPM_SEQUOIA_CRYPTO_POLICY` and the file `/etc/crypto-policies/back-ends/rpm-sequoia.config`. Only if both of those are not set does it fallback to the more generic `SEQUOIA_CRYPTO_POLICY` environment variable and the file `/etc/crypto-policies/back-ends/sequoia.config`. This change allows RPM to use a different cryptographic policy from other Sequoia-based applications. It was motivated by Fedora 38's decision to allow signatures using the SHA-1 hash algorithm and made by 1024-bit DSA keys, which is necessary to support some popular third-party repositories. For more details, refer to: https://bugzilla.redhat.com/show_bug.cgi?id=2170878 , https://pagure.io/fesco/issue/2960 , and https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/129 . Neal on behalf of the whole Sequoia PGP team
pgpBqWxzsb7fY.pgp
Description: OpenPGP Digital Signature
_______________________________________________ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
