Disable SHA-1 signatures on RHEL/ELN
This commit is contained in:
Christian Heimes
parent
55eaa10d2d
commit
c2c3f7ee33
2 changed files with 26 additions and 6 deletions
13
0001-disable-sha1-signature.patch
Normal file
13
0001-disable-sha1-signature.patch
Normal file
|
|
@ -0,0 +1,13 @@
|
|||
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
|
||||
index 48f4265b0..31b1f3b20 100644
|
||||
--- a/src/cryptography/hazmat/backends/openssl/backend.py
|
||||
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
|
||||
@@ -333,7 +333,7 @@ class Backend:
|
||||
) -> bool:
|
||||
# Dedicated check for hashing algorithm use in message digest for
|
||||
# signatures, e.g. RSA PKCS#1 v1.5 SHA1 (sha1WithRSAEncryption).
|
||||
- if self._fips_enabled and isinstance(algorithm, hashes.SHA1):
|
||||
+ if isinstance(algorithm, hashes.SHA1):
|
||||
return False
|
||||
return self.hash_supported(algorithm)
|
||||
|
||||
|
|
@ -6,7 +6,7 @@
|
|||
|
||||
Name: python-%{srcname}
|
||||
Version: 39.0.2
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
Summary: PyCA's cryptography library
|
||||
|
||||
# cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause,
|
||||
|
|
@ -19,6 +19,9 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam
|
|||
Source1: cryptography-%{version}-vendor.tar.bz2
|
||||
Source2: conftest-skipper.py
|
||||
|
||||
# OpenSSL backend signature_hash_supported(hashes.SHA1) -> False
|
||||
Patch0001: 0001-disable-sha1-signature.patch
|
||||
|
||||
ExclusiveArch: %{rust_arches}
|
||||
|
||||
BuildRequires: openssl-devel
|
||||
|
|
@ -67,7 +70,12 @@ cryptography is a package designed to expose cryptographic primitives and
|
|||
recipes to Python developers.
|
||||
|
||||
%prep
|
||||
%autosetup -p1 -n %{srcname}-%{version}
|
||||
%autosetup -N -n %{srcname}-%{version}
|
||||
%if 0%{?rhel}
|
||||
# disable SHA-1 signatures
|
||||
%autopatch -p1 0001
|
||||
%endif
|
||||
|
||||
%if 0%{?fedora}
|
||||
%cargo_prep
|
||||
rm src/rust/Cargo.lock
|
||||
|
|
@ -103,10 +111,6 @@ rm -rf tests/hypothesis tests/x509
|
|||
cat < %{SOURCE2} >> tests/conftest.py
|
||||
%endif
|
||||
|
||||
# enable SHA-1 signatures for RSA tests
|
||||
# also see https://github.com/pyca/cryptography/pull/6931 and rhbz#2060343
|
||||
export OPENSSL_ENABLE_SHA1_SIGNATURES=yes
|
||||
|
||||
# see https://github.com/pyca/cryptography/issues/4885 and
|
||||
# see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests
|
||||
# see rhbz#2042413 for memleak. It's unstable under Python 3.11 and makes
|
||||
|
|
@ -125,6 +129,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \
|
|||
%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
|
||||
|
||||
%changelog
|
||||
* Tue Mar 14 2023 Christian Heimes <cheimes@redhat.com> - 39.0.2-3
|
||||
- Disable SHA-1 signatures on RHEL/ELN
|
||||
|
||||
* Thu Mar 09 2023 Miro Hrončok <mhroncok@redhat.com> - 39.0.2-2
|
||||
- Don't run tests requiring pytz on RHEL
|
||||
- Don't try to run tests of vendored dependencies in %%check
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue