This fixes an issue where Fedora-38 hosts can not build CentOS-Stream-9 images due to an incompatible gpg key with the new default settings for rpm. On Fedora-38, rpm has changed to use a new backend for key verification and by default does not support SHA1 anymore, although the support for SHA1 can be re-enabled via a config file. The (current) CentOS-Stream-9 keys however still require SHA1 support in order to be importable. So they are now unusable on Fedora-38 unless SHA1 support is re-enabled. In OSBuild, the initial chroot does not contain the config files and so SHA1 support is disabled when rpmkeys from the host is called. It does not matter if the crypto-policies on the host machine is configured with the exception to support SHA1 because the chroot filters that out. This means it may not be possible to assemble CentOS-Stream-9 based images without disabling the key check. This patch adds an explicit conditional case for Fedora-38 to inject the needed configuration file into /etc/crypto-policies/back-ends to enable SHA1 support for rpm by default. It does this by copying the default policies from /usr/share/crypto-policies. The result is OSBuild behaving similar to the previous behaviour seen on Fedora-37 and earlier. |
||
|---|---|---|
| .. | ||
| org.osbuild.arch | ||
| org.osbuild.asahi-fedora-remix | ||
| org.osbuild.AutoSD9 | ||
| org.osbuild.centos8 | ||
| org.osbuild.centos9 | ||
| org.osbuild.fedora30 | ||
| org.osbuild.fedora38 | ||
| org.osbuild.linux | ||
| org.osbuild.rhel7 | ||
| org.osbuild.rhel81 | ||
| org.osbuild.rhel82 | ||
| org.osbuild.ubuntu1804 | ||