Stop using /etc/crypto-policies from host or tools tree

Instead we provide our policy for rpm-sequoia that generally follows
the sequoia default policy except SHA1 is allowed as various distributions
still use SHA1 in their GPG keys.

diff --git a/mkosi/installer/rpm.py b/mkosi/installer/rpm.py
index ab1f442805e2a73658f0901855a0d0c0f10f5587..6fb1daab9a30c0167c6994e2b069c5ce983f2a4e 100644 (file)
--- a/mkosi/installer/rpm.py
+++ b/mkosi/installer/rpm.py
@@ -1,6 +1,7 @@
 # SPDX-License-Identifier: LGPL-2.1+
 
 import subprocess
+import textwrap
 from pathlib import Path
 from typing import NamedTuple, Optional
 
@@ -46,6 +47,25 @@ def setup_rpm(context: Context, *, dbpath: str = "/usr/lib/sysimage/rpm") -> Non
             for plugin in plugindir.iterdir():
                 f.write(f"%__transaction_{plugin.stem} %{{nil}}\n")
 
+    # Write an rpm sequoia policy that allows SHA1 as various distribution GPG keys (OpenSUSE) still use SHA1 for
+    # various things.
+    # TODO: Remove when all rpm distribution GPG keys have stopped using SHA1.
+    if not (p := context.pkgmngr / "etc/crypto-policies/back-ends/rpm-sequoia.config").exists():
+        p.parent.mkdir(parents=True, exist_ok=True)
+        p.write_text(
+            textwrap.dedent(
+                """
+                [hash_algorithms]
+                sha1.second_preimage_resistance = "always"
+                sha224 = "always"
+                sha256 = "always"
+                sha384 = "always"
+                sha512 = "always"
+                default_disposition = "never"
+                """
+            )
+        )
+
 
 def rpm_cmd(context: Context) -> list[PathString]:
     return ["env", "HOME=/", "rpm", "--root", context.root]

diff --git a/mkosi/sandbox.py b/mkosi/sandbox.py
index 053a928c59f01b0055c3316115fae14ad5584631..15bf449f309a02b8d81df68dcbcba57cdc499641 100644 (file)
--- a/mkosi/sandbox.py
+++ b/mkosi/sandbox.py
@@ -57,7 +57,6 @@ def finalize_crypto_mounts(tools: Path = Path("/")) -> list[PathString]:
         for subdir in (
             Path("etc/pki"),
             Path("etc/ssl"),
-            Path("etc/crypto-policies"),
             Path("etc/ca-certificates"),
             Path("etc/pacman.d/gnupg"),
             Path("var/lib/ca-certificates"),