Use --allow-weak-hashes instead of disabling signature verification entirely

[DemiMarie]

rpmcanon provides the --allow-weak-hashes argument to allow packages signed with SHA-1 to be installed, which is (much) better than turning off signature verification.

[cfcs]

@DemiMarie That sounds great, what is rpmcanon ?

[DemiMarie]

@DemiMarie That sounds great, what is rpmcanon ?

It’s a Rust tool for canonicalizing RPM packages, verifying the signatures, and stripping anything nasty in them. Qubes OS uses it for all dom0 updates and for all calls to qvm-template (no matter which qube they are made from).

[cfcs]

Is it possible to get qubes-update-dom0 to pass --allow-weak-hashes or what is your suggested approach?

[DemiMarie]

Is it possible to get qubes-update-dom0 to pass --allow-weak-hashes or what is your suggested approach?

Not directly, though one can patch /etc/qubes-rpc/qubes.RecieveUpdates. That said, we should really get ZFS to sign its RPMs with a better hash, since SHA-1 support in signatures is going away.

[cfcs]

openzfs/zfs#13176 (comment)
Looks like you succeeded in getting it fixed upstream!

[DemiMarie]

openzfs/zfs#13176 (comment) Looks like you succeeded in getting it fixed upstream!

Yup! Time to turn signature verification back on!