From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Fri, 23 Feb 2024 11:34:50 +0000 (+0100)
Subject: Stop using /etc/crypto-policies from host or tools tree
X-Git-Tag: v21~28
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b34f3eb09cede8d29e937abad1843269b2bbdc0b;p=thirdparty%2Fmkosi.git

Stop using /etc/crypto-policies from host or tools tree

Instead we provide our policy for rpm-sequoia that generally follows
the sequoia default policy except SHA1 is allowed as various distributions
still use SHA1 in their GPG keys.
---

diff --git a/mkosi/installer/rpm.py b/mkosi/installer/rpm.py
index ab1f44280..6fb1daab9 100644
--- a/mkosi/installer/rpm.py
+++ b/mkosi/installer/rpm.py
@@ -1,6 +1,7 @@
 # SPDX-License-Identifier: LGPL-2.1+
 
 import subprocess
+import textwrap
 from pathlib import Path
 from typing import NamedTuple, Optional
 
@@ -46,6 +47,25 @@ def setup_rpm(context: Context, *, dbpath: str = "/usr/lib/sysimage/rpm") -> Non
             for plugin in plugindir.iterdir():
                 f.write(f"%__transaction_{plugin.stem} %{{nil}}\n")
 
+    # Write an rpm sequoia policy that allows SHA1 as various distribution GPG keys (OpenSUSE) still use SHA1 for
+    # various things.
+    # TODO: Remove when all rpm distribution GPG keys have stopped using SHA1.
+    if not (p := context.pkgmngr / "etc/crypto-policies/back-ends/rpm-sequoia.config").exists():
+        p.parent.mkdir(parents=True, exist_ok=True)
+        p.write_text(
+            textwrap.dedent(
+                """
+                [hash_algorithms]
+                sha1.second_preimage_resistance = "always"
+                sha224 = "always"
+                sha256 = "always"
+                sha384 = "always"
+                sha512 = "always"
+                default_disposition = "never"
+                """
+            )
+        )
+
 
 def rpm_cmd(context: Context) -> list[PathString]:
     return ["env", "HOME=/", "rpm", "--root", context.root]
diff --git a/mkosi/sandbox.py b/mkosi/sandbox.py
index 053a928c5..15bf449f3 100644
--- a/mkosi/sandbox.py
+++ b/mkosi/sandbox.py
@@ -57,7 +57,6 @@ def finalize_crypto_mounts(tools: Path = Path("/")) -> list[PathString]:
         for subdir in (
             Path("etc/pki"),
             Path("etc/ssl"),
-            Path("etc/crypto-policies"),
             Path("etc/ca-certificates"),
             Path("etc/pacman.d/gnupg"),
             Path("var/lib/ca-certificates"),