[packages/crypto-policies] - new, bare skeleton to make rpm built sequoia work

baggins baggins at pld-linux.org
Thu Feb 6 10:03:16 CET 2025 

commit 6cf3cc3392796662252b8a65008443df46213e38
Author: Jan Rękorajski <baggins at pld-linux.org>
Date:   Thu Feb 6 09:51:37 2025 +0100

    - new, bare skeleton to make rpm built sequoia work

 crypto-policies.spec | 44 ++++++++++++++++++++++++++++++++++++++++++++
 rpm-sequoia.txt      | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
 sequoia.txt          | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 146 insertions(+)
---
diff --git a/crypto-policies.spec b/crypto-policies.spec
new file mode 100644
index 0000000..8d6c3aa
--- /dev/null
+++ b/crypto-policies.spec
@@ -0,0 +1,44 @@
+#
+# TODO: extend based on https://gitlab.com/redhat-crypto/fedora-crypto-policies and
+#       https://src.fedoraproject.org/rpms/crypto-policies
+#       We may need to create our own fork of that.
+#
+# Only sequoia for now to make rpm able to validate signatures.
+#
+Summary:	System-wide crypto policies
+Name:		crypto-policies
+Version:	0.1
+Release:	1
+License:	LGPL
+Source0:	sequoia.txt
+Source1:	rpm-sequoia.txt
+#URL:		https://gitlab.com/redhat-crypto/fedora-crypto-policies
+BuildArch:	noarch
+
+%description
+This package provides pre-built configuration files with cryptographic
+policies for various cryptographic back-ends, such as SSL/TLS
+libraries.
+
+%prep
+
+%build
+
+%install
+rm -rf $RPM_BUILD_ROOT
+install -d $RPM_BUILD_ROOT%{_sysconfdir}/crypto-policies/{back-ends,state,local.d,policies/modules}
+
+cp -p %{SOURCE0} $RPM_BUILD_ROOT%{_sysconfdir}/crypto-policies/back-ends/sequoia.config
+cp -p %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/crypto-policies/back-ends/rpm-sequoia.config
+
+%files
+%defattr(644,root,root,755)
+%dir %{_sysconfdir}/crypto-policies
+%dir %{_sysconfdir}/crypto-policies/back-ends
+%dir %{_sysconfdir}/crypto-policies/state
+%dir %{_sysconfdir}/crypto-policies/local.d
+%dir %{_sysconfdir}/crypto-policies/policies
+%dir %{_sysconfdir}/crypto-policies/policies/modules
+
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/sequoia.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/rpm-sequoia.config
diff --git a/rpm-sequoia.txt b/rpm-sequoia.txt
new file mode 100644
index 0000000..cec1d15
--- /dev/null
+++ b/rpm-sequoia.txt
@@ -0,0 +1,51 @@
+[hash_algorithms]
+md5.collision_resistance = "never"
+md5.second_preimage_resistance = "never"
+sha1.collision_resistance = "always"
+sha1.second_preimage_resistance = "always"
+ripemd160.collision_resistance = "never"
+ripemd160.second_preimage_resistance = "never"
+sha224.collision_resistance = "always"
+sha224.second_preimage_resistance = "always"
+sha256.collision_resistance = "always"
+sha256.second_preimage_resistance = "always"
+sha384.collision_resistance = "always"
+sha384.second_preimage_resistance = "always"
+sha512.collision_resistance = "always"
+sha512.second_preimage_resistance = "always"
+default_disposition = "never"
+
+[symmetric_algorithms]
+idea = "never"
+tripledes = "never"
+cast5 = "never"
+blowfish = "never"
+aes128 = "always"
+aes192 = "never"
+aes256 = "always"
+twofish = "never"
+camellia128 = "always"
+camellia192 = "never"
+camellia256 = "always"
+default_disposition = "never"
+
+[asymmetric_algorithms]
+rsa1024 = "never"
+rsa2048 = "always"
+rsa3072 = "always"
+rsa4096 = "always"
+dsa1024 = "always"
+dsa2048 = "always"
+dsa3072 = "always"
+dsa4096 = "always"
+nistp256 = "always"
+nistp384 = "always"
+nistp521 = "always"
+cv25519 = "always"
+elgamal1024 = "never"
+elgamal2048 = "never"
+elgamal3072 = "never"
+elgamal4096 = "never"
+brainpoolp256 = "never"
+brainpoolp512 = "never"
+default_disposition = "never"
diff --git a/sequoia.txt b/sequoia.txt
new file mode 100644
index 0000000..135997c
--- /dev/null
+++ b/sequoia.txt
@@ -0,0 +1,51 @@
+[hash_algorithms]
+md5.collision_resistance = "never"
+md5.second_preimage_resistance = "never"
+sha1.collision_resistance = "never"
+sha1.second_preimage_resistance = "never"
+ripemd160.collision_resistance = "never"
+ripemd160.second_preimage_resistance = "never"
+sha224.collision_resistance = "always"
+sha224.second_preimage_resistance = "always"
+sha256.collision_resistance = "always"
+sha256.second_preimage_resistance = "always"
+sha384.collision_resistance = "always"
+sha384.second_preimage_resistance = "always"
+sha512.collision_resistance = "always"
+sha512.second_preimage_resistance = "always"
+default_disposition = "never"
+
+[symmetric_algorithms]
+idea = "never"
+tripledes = "never"
+cast5 = "never"
+blowfish = "never"
+aes128 = "always"
+aes192 = "never"
+aes256 = "always"
+twofish = "never"
+camellia128 = "always"
+camellia192 = "never"
+camellia256 = "always"
+default_disposition = "never"
+
+[asymmetric_algorithms]
+rsa1024 = "never"
+rsa2048 = "always"
+rsa3072 = "always"
+rsa4096 = "always"
+dsa1024 = "never"
+dsa2048 = "never"
+dsa3072 = "never"
+dsa4096 = "never"
+nistp256 = "always"
+nistp384 = "always"
+nistp521 = "always"
+cv25519 = "always"
+elgamal1024 = "never"
+elgamal2048 = "never"
+elgamal3072 = "never"
+elgamal4096 = "never"
+brainpoolp256 = "never"
+brainpoolp512 = "never"
+default_disposition = "never"
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/crypto-policies.git/commitdiff/6cf3cc3392796662252b8a65008443df46213e38

More information about the pld-cvs-commit mailing list