apk.static signature verification fails on Fedora 41, requires legacy crypto policies
Trying to use pmbootstrap
doesn't work on Fedora 41 by default, printing the following error:
(026959) [05:57:50] Verify apk.static signature with /home/robert/git/pmbootstrap/pmb/data/keys/alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub
(026959) [05:57:50] % openssl dgst -sha1 -verify /home/robert/git/pmbootstrap/pmb/data/keys/alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub -signature /tmp/pmbootstrap0ofyl9ztsig /tmp/pmbootstrap_z843sakapk
Error setting context
8072556F917F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:342:
(026959) [05:57:50] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
(026959) [05:57:50] NOTE: The failed command's output is above the ^^^ line in the log file: /home/robert/.local/var/pmbootstrap/log.txt
(026959) [05:57:50] ERROR: Failed to validate signature of apk.static. Either openssl is not installed, or the download failed. Run 'pmbootstrap zap -hc' to delete the download and try again.
A workaround is to run update-crypto-policies --set LEGACY
(reset: update-crypto-policies --set DEFAULT
)
IIUC we'd need to stop using sha1
here and use at least sha256
, however in order to do that the signatures would need to get recreated accordingly if I'm not mistaken.
Edited by Administrator