File crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch of Package crypto-policies
Index: fedora-crypto-policies-20250324.3714354/policies/DEFAULT.pol =================================================================== --- fedora-crypto-policies-20250324.3714354.orig/policies/DEFAULT.pol +++ fedora-crypto-policies-20250324.3714354/policies/DEFAULT.pol @@ -80,6 +80,8 @@ min_rsa_size = 2048 # GnuTLS only for now sha1_in_certs = 0 +# https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer +__openssl_block_sha1_signatures = 0 arbitrary_dh_groups = 1 ssh_certs = 1 Index: fedora-crypto-policies-20250324.3714354/tests/alternative-policies/DEFAULT.pol =================================================================== --- fedora-crypto-policies-20250324.3714354.orig/tests/alternative-policies/DEFAULT.pol +++ fedora-crypto-policies-20250324.3714354/tests/alternative-policies/DEFAULT.pol @@ -80,6 +80,8 @@ min_rsa_size = 2048 # GnuTLS only for now sha1_in_certs = 0 +# https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer +__openssl_block_sha1_signatures = 0 # SHA1 is still prevalent in DNSSec sha1_in_dnssec = 1 Index: fedora-crypto-policies-20250324.3714354/tests/outputs/DEFAULT:GOST-opensslcnf.txt =================================================================== --- fedora-crypto-policies-20250324.3714354.orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt +++ fedora-crypto-policies-20250324.3714354/tests/outputs/DEFAULT:GOST-opensslcnf.txt @@ -14,4 +14,4 @@ default_bits = 2048 alg_section = evp_properties [evp_properties] -rh-allow-sha1-signatures = no +rh-allow-sha1-signatures = yes Index: fedora-crypto-policies-20250324.3714354/tests/outputs/DEFAULT-opensslcnf.txt =================================================================== --- fedora-crypto-policies-20250324.3714354.orig/tests/outputs/DEFAULT-opensslcnf.txt +++ fedora-crypto-policies-20250324.3714354/tests/outputs/DEFAULT-opensslcnf.txt @@ -14,4 +14,4 @@ default_bits = 2048 alg_section = evp_properties [evp_properties] -rh-allow-sha1-signatures = no +rh-allow-sha1-signatures = yes Index: fedora-crypto-policies-20250324.3714354/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt =================================================================== --- fedora-crypto-policies-20250324.3714354.orig/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt +++ fedora-crypto-policies-20250324.3714354/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt @@ -14,4 +14,4 @@ default_bits = 2048 alg_section = evp_properties [evp_properties] -rh-allow-sha1-signatures = no +rh-allow-sha1-signatures = yes
