I'm pleased to announce v1.3.0 of the RPM Sequoia crate.
I have published rpm-sequoia on crates.io:
You can also fetch version 1.3.0 using the v1.3.0 tag:
which I signed:
$ git verify-tag v1.3.0 gpg: Signature made Mon Mar 06 16:54:07 2023 +01:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield email@example.com" [ultimate] gpg: "Neal H. Walfield firstname.lastname@example.org" gpg: "Neal H. Walfield email@example.com" gpg: "Neal H. Walfield firstname.lastname@example.org" gpg: "Neal H. Walfield email@example.com"
This release includes two notable changes.
First, when `pgpVerifySignature` verifies a signature, it now distinguishes between an invalid signature, and one that uses weak cryptography, or is from a certificate that is expired or has been revoked. Specifically, in the case that the signature is okay, but the cryptography is weak or the certificate is invalid, `pgpVerifySignature` now returns `RPMRC_NOTTRUSTED` instead of `RPMRC_FAIL`.
This change allows installed packages, which use outdated cryptography or certificates to be updated or removed. Please refer to this comment:
and this issue:
for more details.
Second, rpm-sequoia now looks for its configuration file by first checking the environment variable `RPM_SEQUOIA_CRYPTO_POLICY` and the file `/etc/crypto-policies/back-ends/rpm-sequoia.config`. Only if both of those are not set does it fallback to the more generic `SEQUOIA_CRYPTO_POLICY` environment variable and the file `/etc/crypto-policies/back-ends/sequoia.config`.
This change allows RPM to use a different cryptographic policy from other Sequoia-based applications. It was motivated by Fedora 38's decision to allow signatures using the SHA-1 hash algorithm and made by 1024-bit DSA keys, which is necessary to support some popular third-party repositories. For more details, refer to:
https://pagure.io/fesco/issue/2960 , and
Neal on behalf of the whole Sequoia PGP team