Open DemiMarie opened 2 years ago
@DemiMarie That sounds great, what is rpmcanon
?
@DemiMarie That sounds great, what is
rpmcanon
?
It’s a Rust tool for canonicalizing RPM packages, verifying the signatures, and stripping anything nasty in them. Qubes OS uses it for all dom0 updates and for all calls to qvm-template
(no matter which qube they are made from).
Is it possible to get qubes-update-dom0 to pass --allow-weak-hashes
or what is your suggested approach?
Is it possible to get qubes-update-dom0 to pass
--allow-weak-hashes
or what is your suggested approach?
Not directly, though one can patch /etc/qubes-rpc/qubes.RecieveUpdates
. That said, we should really get ZFS to sign its RPMs with a better hash, since SHA-1 support in signatures is going away.
https://github.com/openzfs/zfs/issues/13176#issuecomment-1105961727 Looks like you succeeded in getting it fixed upstream!
openzfs/zfs#13176 (comment) Looks like you succeeded in getting it fixed upstream!
Yup! Time to turn signature verification back on!
rpmcanon provides the
--allow-weak-hashes
argument to allow packages signed with SHA-1 to be installed, which is (much) better than turning off signature verification.