cfcs
commented
2 years ago @DemiMarie That sounds great, what is rpmcanon ?
Open DemiMarie opened 2 years ago
cfcs
commented
2 years ago @DemiMarie That sounds great, what is rpmcanon ?
DemiMarie
commented
2 years ago @DemiMarie That sounds great, what is
rpmcanon?
It’s a Rust tool for canonicalizing RPM packages, verifying the signatures, and stripping anything nasty in them. Qubes OS uses it for all dom0 updates and for all calls to qvm-template (no matter which qube they are made from).
cfcs
commented
2 years ago Is it possible to get qubes-update-dom0 to pass --allow-weak-hashes or what is your suggested approach?
DemiMarie
commented
2 years ago Is it possible to get qubes-update-dom0 to pass
--allow-weak-hashesor what is your suggested approach?
Not directly, though one can patch /etc/qubes-rpc/qubes.RecieveUpdates. That said, we should really get ZFS to sign its RPMs with a better hash, since SHA-1 support in signatures is going away.
cfcs
commented
2 years ago https://github.com/openzfs/zfs/issues/13176#issuecomment-1105961727 Looks like you succeeded in getting it fixed upstream!
DemiMarie
commented
2 years ago openzfs/zfs#13176 (comment) Looks like you succeeded in getting it fixed upstream!
Yup! Time to turn signature verification back on!
rpmcanon provides the
--allow-weak-hashesargument to allow packages signed with SHA-1 to be installed, which is (much) better than turning off signature verification.