Crate rpm_sequoia

Expand description

An implementation of RPM’s OpenPGP interface.

This library provides an implementation of RPM’s OpenPGP interface.

You should not link to this library directly.

If you are looking for an OpenPGP interface, consider using Sequoia, which this library is based on. If you want to use RPM’s OpenPGP interface, which you should only do if you are interacting with RPM, then you should link against RPM, which reexports this interface.

If you are investigating a bug in this library, set the RPM_TRACE environment variable to 1 to get a verbose trace of the library’s execution:

$ LD_LIBRARY_PATH=/tmp/rpm-sequoia/release RPM_TRACE=1 ./rpmkeys \
  --import ../tests/data/keys/CVE-2021-3521-badbind.asc
_rpmInitCrypto: entered
_rpmInitCrypto: -> success
_pgpParsePkts: entered
...

Policy

When Sequoia evaluates the validity of an object (e.g., a cryptographic signature) it consults a policy. The policy is user defined. This library uses Sequoia’s standard policy.

Sequoia’s standard policy allows self-signatures (i.e., the signatures that bind a User ID or subkey to a certificate) made with SHA-1 until February 2023. It completely disallows data signatures made with SHA-1. The reason for this is that SHA-1 collision resistance is broken, but its second pre-image resistance is still okay.

As an added protection, Sequoia uses SHA-1 collision detection, which is a variant of SHA-1, which mitigates known attacks against SHA-1. SHA-1 CD has a very low false positive rate (2^-90) so it can be treated as a drop-in, fully compatible replacement for SHA-1.