Hi everyone,
I'm pleased to announce v1.3.0 of the RPM Sequoia crate.
I have published rpm-sequoia on crates.io:
https://crates.io/crates/rpm-sequoia
You can also fetch version 1.3.0 using the v1.3.0 tag:
https://github.com/rpm-software-management/rpm-sequoia/releases/tag/v1.3.0
which I signed:
$ git verify-tag v1.3.0 gpg: Signature made Mon Mar 06 16:54:07 2023 +01:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield neal@walfield.org" [ultimate] gpg: "Neal H. Walfield neal@gnupg.org" gpg: "Neal H. Walfield neal@pep-project.org" gpg: "Neal H. Walfield neal@pep.foundation" gpg: "Neal H. Walfield neal@sequoia-pgp.org"
This release includes two notable changes.
First, when `pgpVerifySignature` verifies a signature, it now distinguishes between an invalid signature, and one that uses weak cryptography, or is from a certificate that is expired or has been revoked. Specifically, in the case that the signature is okay, but the cryptography is weak or the certificate is invalid, `pgpVerifySignature` now returns `RPMRC_NOTTRUSTED` instead of `RPMRC_FAIL`.
This change allows installed packages, which use outdated cryptography or certificates to be updated or removed. Please refer to this comment:
https://bugzilla.redhat.com/show_bug.cgi?id=2170878#c8
and this issue:
https://github.com/rpm-software-management/rpm/issues/2402
for more details.
Second, rpm-sequoia now looks for its configuration file by first checking the environment variable `RPM_SEQUOIA_CRYPTO_POLICY` and the file `/etc/crypto-policies/back-ends/rpm-sequoia.config`. Only if both of those are not set does it fallback to the more generic `SEQUOIA_CRYPTO_POLICY` environment variable and the file `/etc/crypto-policies/back-ends/sequoia.config`.
This change allows RPM to use a different cryptographic policy from other Sequoia-based applications. It was motivated by Fedora 38's decision to allow signatures using the SHA-1 hash algorithm and made by 1024-bit DSA keys, which is necessary to support some popular third-party repositories. For more details, refer to:
https://bugzilla.redhat.com/show_bug.cgi?id=2170878 ,
https://pagure.io/fesco/issue/2960 , and
https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/129 .
Neal on behalf of the whole Sequoia PGP team