[Sequoia-devel] rpm-sequoia 1.3.0

Hi everyone,

I'm pleased to announce v1.3.0 of the RPM Sequoia crate.

I have published rpm-sequoia on crates.io:

https://crates.io/crates/rpm-sequoia

You can also fetch version 1.3.0 using the v1.3.0 tag:

https://github.com/rpm-software-management/rpm-sequoia/releases/tag/v1.3.0

which I signed:

$ git verify-tag v1.3.0 gpg: Signature made Mon Mar 06 16:54:07 2023 +01:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield neal@walfield.org" [ultimate] gpg: "Neal H. Walfield neal@gnupg.org" gpg: "Neal H. Walfield neal@pep-project.org" gpg: "Neal H. Walfield neal@pep.foundation" gpg: "Neal H. Walfield neal@sequoia-pgp.org"

This release includes two notable changes.

First, when `pgpVerifySignature` verifies a signature, it now distinguishes between an invalid signature, and one that uses weak cryptography, or is from a certificate that is expired or has been revoked. Specifically, in the case that the signature is okay, but the cryptography is weak or the certificate is invalid, `pgpVerifySignature` now returns `RPMRC_NOTTRUSTED` instead of `RPMRC_FAIL`.

This change allows installed packages, which use outdated cryptography or certificates to be updated or removed. Please refer to this comment:

https://bugzilla.redhat.com/show_bug.cgi?id=2170878#c8

and this issue:

https://github.com/rpm-software-management/rpm/issues/2402

for more details.

Second, rpm-sequoia now looks for its configuration file by first checking the environment variable `RPM_SEQUOIA_CRYPTO_POLICY` and the file `/etc/crypto-policies/back-ends/rpm-sequoia.config`. Only if both of those are not set does it fallback to the more generic `SEQUOIA_CRYPTO_POLICY` environment variable and the file `/etc/crypto-policies/back-ends/sequoia.config`.

This change allows RPM to use a different cryptographic policy from other Sequoia-based applications. It was motivated by Fedora 38's decision to allow signatures using the SHA-1 hash algorithm and made by 1024-bit DSA keys, which is necessary to support some popular third-party repositories. For more details, refer to:

https://bugzilla.redhat.com/show_bug.cgi?id=2170878 ,

https://pagure.io/fesco/issue/2960 , and

https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/129 .

Neal on behalf of the whole Sequoia PGP team