Improve error message when a policy's cutoff is always
rpm-sequoia
will start linting errors like this:
$ sudo update-crypto-policies --set FUTURE
$ LD_PRELOAD=$HOME/rpm-sequoia/target/release/librpm_sequoia.so ./rpm -i ~/anydesk-6.1.1-1.el7.x86_64.rpm
error: Verifying a signature using certificate D56311E5FF3B6F39D5A16ABE18DF3741CDFFDE29 (philandro Software GmbH <info@philandro.com>):
1. Signature 155143, created at Tue Apr 13 11:08:37 2021 invalid: it relies on legacy cryptography
because: Policy rejected non-revocation signature (Binary) requiring collision resistance
because: SHA1 is not considered secure since 1970-01-01T00:00:00Z
2. Certificate 18DF3741CDFFDE29 invalid: policy violation
because: No binding signature at time 2021-04-13T11:08:37Z
error: /home/neal/anydesk-6.1.1-1.el7.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID cdffde29: BAD
error: /home/neal/anydesk-6.1.1-1.el7.x86_64.rpm cannot be installed
This caught my eye though:
because: SHA1 is not considered secure since 1970-01-01T00:00:00Z
Maybe it's a side-effect of how the policy implements it (I wouldn't know), but claiming SHA1 not considered secure decades before it was even invented does seem a bit odd smile
He's right that the message is a bit strange. This is because fedora-crypto-policies just denies SHA-1, and doesn't use a cutoff time. The StandardPolicy
uses the Unix epoch to mean never accept an algorithm. We should improve the error in this case. And we should do it not just for hash algorithms, but for all cutoffs.