Sync from SUSE:SLFO:Main crypto-policies revision 9cefc04f311fdcca5a7b3a6516a7e9bc

2024-05-03 11:55:31 +02:00 · 2024-05-03 11:55:31 +02:00 · dc89d67bf7
commit dc89d67bf7
19 changed files with 1356 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
--- a/README.SUSE
+++ b/README.SUSE
@ -0,0 +1,6 @@
+Currently, the supported back-end policies are:
+  * OpenSSL library
+  * GnuTLS library
+  * OpenJDK
+
+The rest of the modules ignore the policy settings for the time being.
--- a/14
+++ b/14
@ -0,0 +1,14 @@
+<services>
+  <service name="tar_scm" mode="disabled">
+    <param name="url">https://gitlab.com/redhat-crypto/fedora-crypto-policies.git</param>
+    <param name="scm">git</param>
+    <param name="versionformat">%cd.%h</param>
+    <param name="changesgenerate">enable</param>
+    <param name="revision">570ea89092555c6c289f226bb48c2d8c1f332b0f</param>
+  </service>
+  <service name="recompress" mode="disabled">
+    <param name="file">*.tar</param>
+    <param name="compression">gz</param>
+  </service>
+  <service name="set_version" mode="disabled"/>
+</services>
--- a/4
+++ b/4
@ -0,0 +1,4 @@
+<servicedata>
+<service name="tar_scm">
+                <param name="url">https://gitlab.com/redhat-crypto/fedora-crypto-policies.git</param>
+              <param name="changesrevision">570ea89092555c6c289f226bb48c2d8c1f332b0f</param></service></servicedata>
--- a/crypto-policies-FIPS.patch
+++ b/crypto-policies-FIPS.patch
@ -0,0 +1,181 @@
+Index: fedora-crypto-policies-20230920.570ea89/fips-mode-setup
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/fips-mode-setup
+++ fedora-crypto-policies-20230920.570ea89/fips-mode-setup
+@@ -81,6 +81,19 @@ if [ "$(id -u)" != 0 ]; then
+ 	exit 1
+ fi
+ 
+# This check must be done as root, otherwise it will fail.
+is_transactional_system=0
+if test ! -w /usr ; then
+	is_transactional_system=1
+fi
+
+# We don't handle the setup on transactional systems as the process is
+# quite different and involves several reboots.
+if test "$is_transactional_system" = 1 && test "$check" = 0 ; then
+    cond_echo -n "Cannot handle transactional systems. "
+    cond_echo "Please, refer to the fips-mode-setup man pages for more information."
+    exit 1
+fi
+ 
+ # Detect 1: kernel FIPS flag
+ fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled)
+@@ -204,9 +217,22 @@ else
+         fi
+ fi
+ 
+-if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then
+-	echo "The grubby command is missing, please configure the bootloader manually."
+-	boot_config=0
+if test "$boot_config" = 1 ; then
+	# Install required packages: patterns-base-fips and perl-Bootloader
+	if test ! -f /etc/dracut.conf.d/40-fips.conf && \
+		test ! -x "$(command -v pbl)" && \
+		test "$enable_fips" = 1; then
+		zypper -n install patterns-base-fips perl-Bootloader
+	elif test ! -f /etc/dracut.conf.d/40-fips.conf && \
+		test "$enable_fips" = 1 ; then
+		zypper -n install patterns-base-fips
+	elif test ! -x "$(command -v pbl)" ; then
+		zypper -n install perl-Bootloader
+	fi
+	if test $? != 0 ; then
+		echo "The pbl command or the fips pattern are missing, please configure the bootloader manually."
+		boot_config=0
+	fi
+ fi
+ 
+ echo "FIPS mode will be $(enable2txt $enable_fips)."
+@@ -217,15 +243,19 @@ if test $boot_config = 0 ; then
+ 	echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\""
+ 	echo "and reboot the system for the setting to take effect."
+ else
+-	grubby --update-kernel=ALL --args="$fipsopts"
+-	if test x"$(uname -m)" = xs390x; then
+-		if command -v zipl >/dev/null; then
+-			zipl
+-		else
+-			echo -n '`zipl` execution has been skipped: '
+-			echo '`zipl` not found.'
+-		fi
+-	fi
+	pbl --add-option "$fipsopts"
+	grub2-mkconfig -o /boot/grub2/grub.cfg && dracut -f --regenerate-all
+
+	# grubby --update-kernel=ALL --args="$fipsopts"
+	# if test x"$(uname -m)" = xs390x; then
+	# 	if command -v zipl >/dev/null; then
+	# 		zipl
+	# 	else
+	# 		echo -n '`zipl` execution has been skipped: '
+	# 		echo '`zipl` not found.'
+	# 	fi
+	# fi
+
+ 	echo "Please reboot the system for the setting to take effect."
+ fi
+ 
+Index: fedora-crypto-policies-20230920.570ea89/fips-finish-install
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/fips-finish-install
+++ fedora-crypto-policies-20230920.570ea89/fips-finish-install
+@@ -24,6 +24,15 @@ fi
+ 
+ umask 022
+ 
+# Install required packages: patterns-base-fips and perl-Bootloader
+if test ! -f $dracut_cfg && test ! -x "$(command -v pbl)" ; then
+       zypper -n install patterns-base-fips perl-Bootloader
+elif test ! -f $dracut_cfg ; then
+       zypper -n install patterns-base-fips
+elif test ! -x "$(command -v pbl)" ; then
+       zypper -n install perl-Bootloader
+fi
+
+ if test ! -d $dracut_cfg_d -o ! -d /boot -o "$is_ostree_system" = 1 ; then
+ 	# No dracut configuration or boot directory present, do not try to modify it.
+ 	# Also, on OSTree systems, we currently rely on the initrd already including
+@@ -31,28 +40,28 @@ if test ! -d $dracut_cfg_d -o ! -d /boot
+ 	exit 0
+ fi
+ 
+-if test x"$1" == x--complete; then
+-	trap "rm -f $dracut_cfg" ERR
+-	cat >$dracut_cfg <<EOF
+-# turn on fips module
+-
+-add_dracutmodules+=" fips "
+-EOF
+-elif test x"$1" == x--undo; then
+-	rm -f $dracut_cfg
+-fi
+-
+-echo "Kernel initramdisks are being regenerated. This might take some time."
+-
+-dracut -f --regenerate-all
+-
+-# This is supposed to be a fast and safe operation that's always good to run.
+-# Regenerating an initrd and skipping it might render the system unbootable
+-# (RHBZ#2013195).
+-if test x"$(uname -m)" = xs390x; then
+-	if command -v zipl >/dev/null; then
+-		zipl
+-	else
+-		echo '`zipl` execution has been skipped: `zipl` not found.'
+-	fi
+-fi
+# if test x"$1" == x--complete; then
+# 	trap "rm -f $dracut_cfg" ERR
+# 	cat >$dracut_cfg <<EOF
+# # turn on fips module
+
+# add_dracutmodules+=" fips "
+# EOF
+# elif test x"$1" == x--undo; then
+# 	rm -f $dracut_cfg
+# fi
+
+# echo "Kernel initramdisks are being regenerated. This might take some time."
+
+# dracut -f --regenerate-all
+
+# # This is supposed to be a fast and safe operation that's always good to run.
+# # Regenerating an initrd and skipping it might render the system unbootable
+# # (RHBZ#2013195).
+# if test x"$(uname -m)" = xs390x; then
+# 	if command -v zipl >/dev/null; then
+# 		zipl
+# 	else
+# 		echo '`zipl` execution has been skipped: `zipl` not found.'
+# 	fi
+# fi
+Index: fedora-crypto-policies-20230920.570ea89/fips-mode-setup.8.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/fips-mode-setup.8.txt
+++ fedora-crypto-policies-20230920.570ea89/fips-mode-setup.8.txt
+@@ -45,6 +45,23 @@ Then the command modifies the boot loade
+ When disabling the system FIPS mode the system crypto policy is switched
+ to DEFAULT and the kernel command line option 'fips=0' is set.
+ 
+On transactional systems, enabling the system in FIPS mode with the
+fips-mode-setup tool is not implemented. To enable the FIPS mode in these
+systems requires the following steps:
+
+	1.- Install the FIPS pattern on a running system:
+	    # transactional-update pkg install -t pattern microos-fips
+
+	2.- Reboot your system.
+
+	3.- Add the kernel command line parameter fips=1 to the boot loader
+	    configuration. To do so, edit the file /etc/default/grub and add
+	    fips=1 to the GRUB_CMDLINE_LINUX_DEFAULT variable.
+
+	4.- After logging in to the system, run:
+	    # transactional-update grub.cfg
+
+	5.- Reboot your system.
+ 
+ [[options]]
+ OPTIONS
--- a/crypto-policies-no-build-manpages.patch
+++ b/crypto-policies-no-build-manpages.patch
@ -0,0 +1,28 @@
+Index: fedora-crypto-policies-20230420.3d08ae7/Makefile
+===================================================================
+--- fedora-crypto-policies-20230420.3d08ae7.orig/Makefile
+++ fedora-crypto-policies-20230420.3d08ae7/Makefile
+@@ -28,9 +28,9 @@ install: $(MANPAGES)
+ 	mkdir -p $(DESTDIR)$(MANDIR)/man7
+ 	mkdir -p $(DESTDIR)$(MANDIR)/man8
+ 	mkdir -p $(DESTDIR)$(BINDIR)
+-	install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7
+-	install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8
+-	install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR)
+	# install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7
+	# install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8
+	# install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR)
+ 	mkdir -p $(DESTDIR)$(DIR)/
+ 	install -p -m 644 default-config $(DESTDIR)$(DIR)
+ 	install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR)
+@@ -114,8 +114,8 @@ clean:
+ 	rm -rf output
+ 
+ %: %.txt
+-	$(ASCIIDOC) -v -d manpage -b docbook $<
+-	xsltproc --nonet -o $@ ${MANPAGEXSL} $@.xml
+	#$(ASCIIDOC) -v -d manpage -b docbook $<
+	#xsltproc --nonet -o $@ ${MANPAGEXSL} $@.xml
+ 
+ dist:
+ 	rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies
--- a/crypto-policies-nss.patch
+++ b/crypto-policies-nss.patch
@ -0,0 +1,42 @@
+Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/nss.py
+++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py
+@@ -198,12 +198,20 @@ class NSSGenerator(ConfigGenerator):
+         try:
+             with os.fdopen(fd, 'w') as f:
+                 f.write(config)
+-            try:
+-                ret = call(f'/usr/bin/nss-policy-check {options} {path}'
+-                           '>/dev/null',
+-                           shell=True)
+-            except CalledProcessError:
+-                cls.eprint("/usr/bin/nss-policy-check: Execution failed")
+            if os.path.exists('/usr/bin/nss-policy-check'):
+                # Perform a policy check only if the mozilla-nss-tools
+                # package is installed. This avoids adding more
+                # dependencies to Ring0.
+                try:
+                    ret = call(f'/usr/bin/nss-policy-check {options} {path}'
+                               '>/dev/null', shell=True)
+                except CalledProcessError:
+                    cls.eprint("/usr/bin/nss-policy-check: Execution failed")
+            else:
+                # The mozilla-nss-tools package is not installed and we can
+                # temporarily skip the policy check for mozilla-nss.
+                ret = 3
+
+         finally:
+             os.unlink(path)
+ 
+@@ -211,6 +219,10 @@ class NSSGenerator(ConfigGenerator):
+             cls.eprint("There is a warning in NSS generated policy")
+             cls.eprint(f'Policy:\n{config}')
+             return False
+        elif ret == 3:
+            cls.eprint('Skipping NSS policy check: '
+                       '/usr/bin/nss-policy-check not found')
+            return True
+         elif ret:
+             cls.eprint("There is an error in NSS generated policy")
+             cls.eprint(f'Policy:\n{config}')
--- a/crypto-policies-policygenerators.patch
+++ b/crypto-policies-policygenerators.patch
@ -0,0 +1,43 @@
+Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/__init__.py
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/__init__.py
+++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/__init__.py
+@@ -8,7 +8,7 @@ from .gnutls import GnuTLSGenerator
+ from .java import JavaGenerator
+ from .java import JavaSystemGenerator
+ from .krb5 import KRB5Generator
+-from .libreswan import LibreswanGenerator
+# from .libreswan import LibreswanGenerator
+ from .libssh import LibsshGenerator
+ from .nss import NSSGenerator
+ from .openssh import OpenSSHClientGenerator
+@@ -16,8 +16,8 @@ from .openssh import OpenSSHServerGenera
+ from .openssl import OpenSSLConfigGenerator
+ from .openssl import OpenSSLGenerator
+ from .openssl import OpenSSLFIPSGenerator
+-from .sequoia import SequoiaGenerator
+-from .sequoia import RPMSequoiaGenerator
+# from .sequoia import SequoiaGenerator
+# from .sequoia import RPMSequoiaGenerator
+ 
+ __all__ = [
+     'BindGenerator',
+@@ -25,7 +25,6 @@ __all__ = [
+     'JavaGenerator',
+     'JavaSystemGenerator',
+     'KRB5Generator',
+-    'LibreswanGenerator',
+     'LibsshGenerator',
+     'NSSGenerator',
+     'OpenSSHClientGenerator',
+@@ -33,6 +32,8 @@ __all__ = [
+     'OpenSSLConfigGenerator',
+     'OpenSSLGenerator',
+     'OpenSSLFIPSGenerator',
+-    'SequoiaGenerator',
+-    'RPMSequoiaGenerator',
+ ]
+
+#   'LibreswanGenerator',
+#   'SequoiaGenerator',
+#   'RPMSequoiaGenerator',
--- a/crypto-policies-pylint.patch
+++ b/crypto-policies-pylint.patch
@ -0,0 +1,15 @@
+Index: fedora-crypto-policies-20230614.5f3458e/Makefile
+===================================================================
+--- fedora-crypto-policies-20230614.5f3458e.orig/Makefile
+++ fedora-crypto-policies-20230614.5f3458e/Makefile
+@@ -44,8 +44,8 @@ runflake8:
+ 	@find -name '*.py' | grep -v krb5check | xargs flake8 --config .flake8
+ 
+ runpylint:
+-	PYTHONPATH=. pylint$(PYVERSION) --rcfile=pylintrc python
+-	PYTHONPATH=. pylint$(PYVERSION) --rcfile=pylintrc tests
+	PYTHONPATH=. pylint --rcfile=pylintrc python
+	PYTHONPATH=. pylint --rcfile=pylintrc tests
+ 	@echo "[ OK ]"
+ 
+ runcodespell:
--- a/crypto-policies-revert-rh-allow-sha1-signatures.patch
+++ b/crypto-policies-revert-rh-allow-sha1-signatures.patch
@ -0,0 +1,327 @@
+From 97fe4494571fd90a05f9bc42af152762eca2fac5 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Fri, 8 Apr 2022 13:47:29 +0200
+Subject: openssl: disable SHA-1 signatures in FUTURE/NO-SHA1
+
+
+Index: fedora-crypto-policies-20230920.570ea89/policies/FUTURE.pol
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/policies/FUTURE.pol
+++ fedora-crypto-policies-20230920.570ea89/policies/FUTURE.pol
+@@ -66,7 +66,3 @@ sha1_in_certs = 0
+ arbitrary_dh_groups = 1
+ ssh_certs = 1
+ ssh_etm = 1
+-
+-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1
+-# SHA-1 signatures are blocked in OpenSSL in FUTURE only
+-__openssl_block_sha1_signatures = 1
+Index: fedora-crypto-policies-20230920.570ea89/policies/modules/NO-SHA1.pmod
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/policies/modules/NO-SHA1.pmod
+++ fedora-crypto-policies-20230920.570ea89/policies/modules/NO-SHA1.pmod
+@@ -3,7 +3,3 @@
+ hash = -SHA1
+ sign = -*-SHA1
+ sha1_in_certs = 0
+-
+-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1
+-# SHA-1 signatures are blocked in OpenSSL in FUTURE only
+-__openssl_block_sha1_signatures = 1
+Index: fedora-crypto-policies-20230920.570ea89/python/cryptopolicies/cryptopolicies.py
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/python/cryptopolicies/cryptopolicies.py
+++ fedora-crypto-policies-20230920.570ea89/python/cryptopolicies/cryptopolicies.py
+@@ -24,7 +24,6 @@ from . import validation  # moved out of
+ INT_DEFAULTS = {k: 0 for k in (
+     'arbitrary_dh_groups',
+     'min_dh_size', 'min_dsa_size', 'min_rsa_size',
+-    '__openssl_block_sha1_signatures',  # FUTURE/TEST-FEDORA39/NO-SHA1
+     'sha1_in_certs',
+     'ssh_certs', 'ssh_etm',
+ )}
+Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/openssl.py
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/openssl.py
+++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/openssl.py
+@@ -7,13 +7,6 @@ from subprocess import check_output, Cal
+ 
+ from .configgenerator import ConfigGenerator
+ 
+-RH_SHA1_SECTION = '''
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = {}
+-'''
+ 
+ FIPS_MODULE_CONFIG = '''
+ [fips_sect]
+@@ -263,12 +256,6 @@ class OpenSSLConfigGenerator(OpenSSLGene
+         if policy.enums['__ems'] == 'RELAX':
+             s += 'Options = RHNoEnforceEMSinFIPS\n'
+ 
+-        # In the future it'll be just
+-        # s += RH_SHA1_SECTION.format('yes' if 'SHA1' in p['hash'] else 'no')
+-        # but for now we slow down the roll-out and we have
+-        sha1_sig = not policy.integers['__openssl_block_sha1_signatures']
+-        s += RH_SHA1_SECTION.format('yes' if sha1_sig else 'no')
+-
+         return s
+ 
+     @classmethod
+Index: fedora-crypto-policies-20230920.570ea89/tests/alternative-policies/FUTURE.pol
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/alternative-policies/FUTURE.pol
+++ fedora-crypto-policies-20230920.570ea89/tests/alternative-policies/FUTURE.pol
+@@ -73,7 +73,3 @@ sha1_in_dnssec = 0
+ arbitrary_dh_groups = 1
+ ssh_certs = 1
+ ssh_etm = 1
+-
+-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1
+-# SHA-1 signatures are blocked in OpenSSL in FUTURE only
+-__openssl_block_sha1_signatures = 1
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/DEFAULT-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+ Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
+ Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:GOST-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:GOST-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+ Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/EMPTY-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/EMPTY-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/EMPTY-opensslcnf.txt
+@@ -2,9 +2,3 @@ CipherString = @SECLEVEL=0:-kPSK:-kDHEPS
+ Ciphersuites = 
+ SignatureAlgorithms = 
+ Groups = 
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+ Groups = secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+ Groups = secp256r1:secp521r1:secp384r1
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FUTURE-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FUTURE-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FUTURE-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
+ Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = no
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/GOST-ONLY-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/GOST-ONLY-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/GOST-ONLY-opensslcnf.txt
+@@ -4,9 +4,3 @@ TLS.MinProtocol = TLSv1
+ TLS.MaxProtocol = TLSv1.3
+ SignatureAlgorithms = 
+ Groups = 
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/LEGACY-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
+ Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
+ Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230920.570ea89/tests/unit/test_cryptopolicy.py
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/unit/test_cryptopolicy.py
+++ fedora-crypto-policies-20230920.570ea89/tests/unit/test_cryptopolicy.py
+@@ -260,7 +260,6 @@ def test_cryptopolicy_to_string_empty(tm
+         min_dh_size = 0
+         min_dsa_size = 0
+         min_rsa_size = 0
+-        __openssl_block_sha1_signatures = 0
+         sha1_in_certs = 0
+         ssh_certs = 0
+         ssh_etm = 0
+@@ -292,7 +291,6 @@ def test_cryptopolicy_to_string_twisted(
+         min_dh_size = 0
+         min_dsa_size = 0
+         min_rsa_size = 0
+-        __openssl_block_sha1_signatures = 0
+         sha1_in_certs = 0
+         ssh_certs = 0
+         ssh_etm = 0
+Index: fedora-crypto-policies-20230920.570ea89/policies/TEST-FEDORA39.pol
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/policies/TEST-FEDORA39.pol
+++ fedora-crypto-policies-20230920.570ea89/policies/TEST-FEDORA39.pol
+@@ -68,7 +68,3 @@ sha1_in_certs = 0
+ arbitrary_dh_groups = 1
+ ssh_certs = 1
+ ssh_etm = 1
+-
+-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1
+-# SHA-1 signatures will blocked in OpenSSL
+-__openssl_block_sha1_signatures = 1
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FEDORA38-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FEDORA38-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FEDORA38-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+ Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/TEST-FEDORA39-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/TEST-FEDORA39-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/TEST-FEDORA39-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+ Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = no
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:OSPP-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS:OSPP-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:OSPP-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
+ Groups = secp521r1:secp384r1:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/BSI-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
+ Groups = secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:brainpoolP512r1:brainpoolP384r1:brainpoolP256r1
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:NO-ENFORCE-EMS-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS:NO-ENFORCE-EMS-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:NO-ENFORCE-EMS-opensslcnf.txt
+@@ -7,9 +7,3 @@ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+ Groups = secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+ Options = RHNoEnforceEMSinFIPS
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
--- a/3
+++ b/3
@ -0,0 +1,3 @@
+addFilter(".*files-duplicate.*")
+addFilter(".*zero-length.*")
+addFilter(".non-conffile-in-etc.*")
--- a/crypto-policies-supported.patch
+++ b/crypto-policies-supported.patch
@ -0,0 +1,37 @@
+Index: fedora-crypto-policies-20230420.3d08ae7/update-crypto-policies.8.txt
+===================================================================
+--- fedora-crypto-policies-20230420.3d08ae7.orig/update-crypto-policies.8.txt
+++ fedora-crypto-policies-20230420.3d08ae7/update-crypto-policies.8.txt
+@@ -54,23 +54,23 @@ are configured to follow the default pol
+ The generated back-end policies will be placed in /etc/crypto-policies/back-ends.
+ Currently the supported back-ends (and directive scopes they respect) are:
+ 
+-* GnuTLS library (GnuTLS, SSL, TLS)
+* GnuTLS library (GnuTLS, SSL, TLS) (Supported)
+ 
+-* OpenSSL library (OpenSSL, SSL, TLS)
+* OpenSSL library (OpenSSL, SSL, TLS) (Supported)
+ 
+-* NSS library (NSS, SSL, TLS)
+* NSS library (NSS, SSL, TLS) (Not supported)
+ 
+-* OpenJDK (java-tls, SSL, TLS)
+* OpenJDK (java-tls, SSL, TLS) (Supported)
+ 
+-* Libkrb5 (krb5, kerberos)
+* Libkrb5 (krb5, kerberos) (Not supported)
+ 
+-* BIND (BIND, DNSSec)
+* BIND (BIND, DNSSec) (Not supported)
+ 
+-* OpenSSH (OpenSSH, SSH)
+* OpenSSH (OpenSSH, SSH) (Not supported)
+ 
+-* Libreswan (libreswan, IKE, IPSec)
+* Libreswan (libreswan, IKE, IPSec) (Not supported)
+ 
+-* libssh (libssh, SSH)
+* libssh (libssh, SSH) (Not supported)
+ 
+ Applications and languages which rely on any of these back-ends will follow
+ the system policies as well. Examples are apache httpd, nginx, php, and
--- a/crypto-policies.7.gz
+++ b/crypto-policies.7.gz
--- a/crypto-policies.changes
+++ b/crypto-policies.changes
@ -0,0 +1,330 @@
+-------------------------------------------------------------------
+Thu Oct  5 12:35:57 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Remove dependency on /usr/bin/python3, making scripts to depends on
+  the real python3 binary, not the link. bsc#1212476
+
+-------------------------------------------------------------------
+Wed Sep 27 10:54:17 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- nss: Skip the NSS policy check if the mozilla-nss-tools package
+  is not installed. This avoids adding more dependencies in ring0.
+  * Add crypto-policies-nss.patch [bsc#1211301]
+
+-------------------------------------------------------------------
+Fri Sep 22 10:27:53 UTC 2023 -  Pedro Monreal <pmonreal@suse.com>
+
+- Update to version 20230920.570ea89:
+  * fips-mode-setup: more thorough --disable, still unsupported
+  * FIPS:OSPP: tighten beyond reason for OSPP 4.3
+  * krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones
+  * openssl: implement relaxing EMS in FIPS (NO-ENFORCE-EMS)
+  * gnutls: prepare for tls-session-hash option coming
+  * nss: prepare for TLS-REQUIRE-EMS option coming
+  * NO-ENFORCE-EMS: add subpolicy
+  * FIPS: set __ems = ENFORCE
+  * cryptopolicies: add enums and __ems tri-state
+  * docs: replace `FIPS 140-2` with just `FIPS 140`
+  * .gitlab-ci: remove forcing OPENSSH_MIN_RSA_SIZE
+  * cryptopolicies: add comments on dunder options
+  * nss: retire NSS_OLD and replace with NSS_LAX 3.80 check
+  * BSI: start a BSI TR 02102 policy [jsc#PED-4933]
+  * Rebase patches:
+    - crypto-policies-policygenerators.patch
+    - crypto-policies-revert-rh-allow-sha1-signatures.patch
+    - crypto-policies-FIPS.patch
+
+-------------------------------------------------------------------
+Fri Sep 15 11:23:06 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- Conditionally recommend the crypto-policies-scripts package
+  when python is not installed in the system [bsc#1215201]
+
+-------------------------------------------------------------------
+Thu Aug 31 12:17:44 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- Tests: Fix pylint versioning for TW and fix the parsing of the
+  policygenerators to account for the commented lines correctly.
+  * Add crypto-policies-pylint.patch
+  * Rebase crypto-policies-policygenerators.patch
+
+-------------------------------------------------------------------
+Tue Aug  1 12:23:33 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- FIPS: Adapt the fips-mode-setup script to use the pbl command
+  from the perl-Bootloader package to replace grubby. Add a note
+  for transactional systems [jsc#PED-5041].
+  * Rebase crypto-policies-FIPS.patch
+
+-------------------------------------------------------------------
+Fri Jul 14 14:59:06 UTC 2023 - Marcus Meissner <meissner@suse.com>
+
+- BSI.pol: Added a new BSI policy for BSI TR 02102* (jsc#PED-4933)
+  derived from NEXT.pol
+
+-------------------------------------------------------------------
+Thu Jul 13 06:36:20 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to version 20230614.5f3458e:
+  * policies: impose old OpenSSL groups order for all back-ends
+  * Rebase patches:
+    - crypto-policies-revert-rh-allow-sha1-signatures.patch
+    - crypto-policies-supported.patch
+
+-------------------------------------------------------------------
+Thu May 25 11:28:12 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- FIPS: Enable to set the kernel FIPS mode with fips-mode-setup
+  and fips-finish-install commands, add also the man pages. The
+  required FIPS modules are left to be installed by the user.
+  * Rebase crypto-policies-FIPS.patch
+
+-------------------------------------------------------------------
+Wed May 24 20:04:20 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- Revert a breaking change that introduces the config option
+  rh-allow-sha1-signatures that is unkown to OpenSSL and fails
+  on startup. We will consider adding this option to openssl.
+  * https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/97fe4494
+  * Add crypto-policies-revert-rh-allow-sha1-signatures.patch
+
+-------------------------------------------------------------------
+Mon May  8 09:45:45 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- Update the update-crypto-policies(8) man pages and README.SUSE
+  to mention the supported back-end policies. [bsc#1209998]
+  * Add crypto-policies-supported.patch
+
+-------------------------------------------------------------------
+Mon May 08 06:32:49 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to version 20230420.3d08ae7:
+  * openssl, alg_lists: add brainpool support
+  * openssl: set Groups explicitly
+  * codespell: ignore aNULL
+  * rpm-sequoia: allow 1024 bit DSA and SHA-1 per FeSCO decision 2960
+  * sequoia: add separate rpm-sequoia backend
+  * crypto-policies.7: state upfront that FUTURE is not so interoperable
+  * Makefile: update for asciidoc 10
+  * Skip not needed LibreswanGenerator and SequoiaGenerator:
+    - Add crypto-policies-policygenerators.patch
+  * Remove crypto-policies-test_supported_modules_only.patch
+  * Rebase crypto-policies-no-build-manpages.patch
+
+-------------------------------------------------------------------
+Fri Jan 20 09:25:22 UTC 2023  - Pedro Monreal <pmonreal@suse.com>
+
+- Update to version 20221214.a4c31a3:
+  * bind: expand the list of disableable algorithms
+  * libssh: Add support for openssh fido keys
+  * .gitlab-ci.yml: install krb5-devel for krb5-config
+  * sequoia: check using sequoia-policy-config-check
+  * sequoia: introduce new back-end
+  * Makefile: support overriding asciidoc executable name
+  * openssh: make none and auto explicit and different
+  * openssh: autodetect and allow forcing RequiredRSASize presence/name
+  * openssh: remove _pre_8_5_ssh
+  * pylintrc: update
+  * Revert "disable SHA-1 further for a Fedora 38 Rawhide "jump scare"..."
+  * disable SHA-1 further for a Fedora 38 Rawhide "jump scare"...
+  * Makefile: exclude built manpages from codespell
+  * add openssh HostbasedAcceptedAlgorithms
+  * openssh: add RSAMinSize option following min_rsa_size
+  * Revert ".gitlab-ci.yml: skip pylint (bz2069837)"
+  * docs: add customization recommendation
+  * tests/java: fix java.security.disableSystemPropertiesFile=true
+  * policies: add FEDORA38 and TEST-FEDORA39
+  * bind: control ED25519/ED448
+  * openssl: disable SHA-1 signatures in FUTURE/NO-SHA1
+  * .gitlab-ci.yml: skip pylint (bz2069837)
+  * openssh: add support for sntrup761x25519-sha512@openssh.com
+  * fips-mode-setup: fix one unrelated check to intended state
+  * fips-mode-setup, fips-finish-install: abandon /etc/system-fips
+  * Makefile: fix alt-policy test of LEGACY:AD-SUPPORT
+  * fips-mode-setup: catch more inconsistencies, clarify --check
+  * fips-mode-setup: improve handling FIPS plus subpolicies
+  * .gitlab-ci.yml: use rawhide so that we get gnutls 3.7.3
+  * gnutls: enable SHAKE, needed for Ed448
+  * gnutls: use allowlisting
+  * openssl: add newlines at the end of the output
+  * FIPS:OSPP: relax -ECDSA-SHA2-512, -FFDHE-*
+  * fips-mode-setup, fips-finish-install: call zipl more often
+  * Add crypto-policies-rpmlintrc file to avoid files-duplicate,
+    zero-length and non-conffile-in-etc warnings.
+  * Rebase patches:
+    - crypto-policies-FIPS.patch
+    - crypto-policies-no-build-manpages.patch
+  * Update README.SUSE
+
+-------------------------------------------------------------------
+Fri Sep 24 11:30:21 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Remove the scripts and documentation regarding
+  fips-finish-install and test-fips-setup
+  * Add crypto-policies-FIPS.patch
+
+-------------------------------------------------------------------
+Fri Sep 24 09:34:03 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to version 20210917.c9d86d1:
+  * openssl: fix disabling ChaCha20
+  * pacify pylint 2.11: use format strings
+  * pacify pylint 2.11: specify explicit encoding
+  * fix minor things found by new pylint
+  * update-crypto-policies: --check against regenerated
+  * update-crypto-policies: fix --check's walking order
+  * policygenerators/gnutls: revert disabling DTLS0.9...
+  * policygenerators/java: add javasystem backend
+  * LEGACY: bump 1023 key size to 1024
+  * cryptopolicies: fix 'and' in deprecation warnings
+  * *ssh: condition ecdh-sha2-nistp384 on SECP384R1
+  * nss: hopefully the last fix for nss sigalgs check
+  * cryptopolicies: Python 3.10 compatibility
+  * nss: postponing check + testing at least something
+  * Rename 'policy modules' to 'subpolicies'
+  * validation.rules: fix a missing word in error
+  * cryptopolicies: raise errors right after warnings
+  * update-crypto-policies: capitalize warnings
+  * cryptopolicies: syntax-precheck scope errors
+  * .gitlab-ci.yml, Makefile: enable codespell
+  * all: fix several typos
+  * docs: don't leave zero TLS/DTLS protocols on
+  * openssl: separate TLS/DTLS MinProtocol/MaxProtocol
+  * alg_lists: order protocols new-to-old for consistency
+  * alg_lists: max_{d,}tls_version
+  * update-crypto-policies: fix pregenerated + local.d
+  * openssh: allow validation with pre-8.5
+  * .gitlab-ci.yml: run commit-range against upstream
+  * openssh: Use the new name for PubkeyAcceptedKeyTypes
+  * sha1_in_dnssec: deprecate
+  * .gitlab-ci.yml: test commit ranges
+  * FIPS:OSPP: sign = -*-SHA2-224
+  * scoped policies: documentation update
+  * scoped policies: use new features to the fullest...
+  * scoped policies: rewrite + minimal policy changes
+  * scoped policies: rewrite preparations
+  * nss: postponing the version check again, to 3.64
+- Remove patches fixed upstream: crypto-policies-typos.patch
+- Rebase: crypto-policies-test_supported_modules_only.patch
+- Merge crypto-policies-asciidoc.patch into
+    crypto-policies-no-build-manpages.patch
+
+-------------------------------------------------------------------
+Thu Feb 25 12:05:39 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to version 20210225.05203d2:
+  * Disable DTLS0.9 protocol in the DEFAULT policy.
+  * policies/FIPS: insignificant reformatting
+  * policygenerators/libssh: respect ssh_certs
+  * policies/modules/OSPP: tighten to follow RHEL 8
+  * crypto-policies(7): drop not-reenableable comment
+  * follow up on disabling RC4
+
+-------------------------------------------------------------------
+Thu Feb 25 11:59:44 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Remove not needed scripts: fips-finish-install fips-mode-setup
+
+-------------------------------------------------------------------
+Wed Feb 24 16:22:08 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Disable DTLS0.9 protocol in GnuTLS DEFAULT policy. [bsc#1180938]
+  * The minimum DTLS protocol version in the DEFAULT and FUTURE
+    policies is DTLS1.2.
+  * Fixed upstream: 05203d21f6d0ea9bbdb351e4600f1e273720bb8e
+
+-------------------------------------------------------------------
+Wed Feb 17 12:36:05 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to version 20210213.5c710c0: [bsc#1180938]
+  * setup_directories(): perform safer creation of directories
+  * save_config(): avoid re-opening output file for each iteration
+  * save_config(): break after first match to avoid unnecessary stat() calls
+  * CryptoPolicy.parse(): actually stop parsing line on syntax error
+  * ProfileConfig.parse_string(): correctly extended subpolicies
+  * Exclude RC4 from LEGACY
+  * Introduce rc4_md5_in_krb5 to narrow AD_SUPPORT
+  * code style: fix 'not in' membership testing
+  * pylintrc: tighten up a bit
+  * formatting: avoid long lines
+  * formatting: use f-strings instead of format()
+  * formatting: reformat all python code with autopep8
+  * nss: postponing the version check again, to 3.61
+  * Revert "Unfortunately we have to keep ignoring the openssh check for sk-"
+
+-------------------------------------------------------------------
+Tue Feb  9 10:50:47 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Use tar_scm service, not obs_scm: With crypto-policies entering
+  Ring0 (distro bootstrap) we want to be sure to keep the buildtime
+  deps as low as possible.
+- Add python3-base BuildRequires: previously, OBS' tar service
+  pulled this in for us.
+
+-------------------------------------------------------------------
+Mon Feb  8 11:45:38 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Add a BuildIgnore for crypto-policies
+
+-------------------------------------------------------------------
+Mon Feb  8 11:22:31 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Use gzip instead of xz in obscpio and sources
+
+-------------------------------------------------------------------
+Fri Feb  5 10:57:46 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Do not build the manpages to avoid build cycles
+- Add crypto-policies-no-build-manpages.patch
+
+-------------------------------------------------------------------
+Tue Feb  2 17:38:27 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Convert to use a proper git source _service:
+  + To update, one just needs to update the commit/revision in the
+    _service file and run `osc service dr`.
+  + The version of the package is defined by the commit date of the
+    revision, followed by the abbreviated git hash (The same
+    revision used before results thus in a downgrade to 20210118,
+    but as this is a alltime new package, this is acceptable.
+
+-------------------------------------------------------------------
+Tue Feb  2 12:33:19 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to git version 20210127
+  * Bump Python requirement to 3.6
+  * Output sigalgs required by nss >=3.59
+  * Do not require bind during build
+  * Break build cycles with openssl and gnutls
+
+-------------------------------------------------------------------
+Thu Jan 21 14:44:07 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to git version 20210118
+  * Output sigalgs required by nss >=3.59
+  * Bump Python requirement to 3.6
+  * Kerberos 5: Fix policy generator to account for macs
+  * Add AES-192 support (non-TLS scenarios)
+  * Add documentation of the --check option
+
+-------------------------------------------------------------------
+Thu Jan 21 14:42:13 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Fix the man pages generation
+- Add crypto-policies-asciidoc.patch
+
+-------------------------------------------------------------------
+Thu Jan 21 09:56:42 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Test only supported modules
+- Add crypto-policies-test_supported_modules_only.patch
+
+-------------------------------------------------------------------
+Tue Dec 22 10:50:36 UTC 2020 - Pedro Monreal <pmonreal@suse.com>
+
+- Add crypto-policies-typos.patch to fix some typos
+
+-------------------------------------------------------------------
+Thu Nov 12 08:20:19 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
+
+- Initial packaging, git version 20200918 (jsc#SLE-15832)
--- a/crypto-policies.spec
+++ b/crypto-policies.spec
@ -0,0 +1,288 @@
+#
+# spec file for package crypto-policies
+#
+# Copyright (c) 2023 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+# testsuite is disabled by default
+%bcond_with testsuite
+# manbuild is disabled by default
+%bcond_with manbuild
+%global _python_bytecompile_extra 0
+Name:           crypto-policies
+Version:        20230920.570ea89
+Release:        0
+Summary:        System-wide crypto policies
+License:        LGPL-2.1-or-later
+Group:          Productivity/Networking/Security
+URL:            https://gitlab.com/redhat-crypto/fedora-%{name}
+Source0:        fedora-%{name}-%{version}.tar.gz
+Source1:        README.SUSE
+Source2:        crypto-policies.7.gz
+Source3:        update-crypto-policies.8.gz
+Source4:        fips-mode-setup.8.gz
+Source5:        fips-finish-install.8.gz
+Source6:        crypto-policies-rpmlintrc
+%if %{without manbuild}
+#PATCH-FIX-OPENSUSE Manpages build cycles and dependencies
+# To reduce the build dependencies in Ring0, we have to compile the
+# man pages locally (use --with testsuite) and add the built files
+# crypto-policies.7.gz, update-crypto-policies.8.gz, fips-mode-setup.8.gz
+# and fips-finish-install.8.gz as sources.
+Patch1:         crypto-policies-no-build-manpages.patch
+%endif
+#PATCH-FIX-OPENSUSE Skip not needed LibreswanGenerator and SequoiaGenerator
+Patch2:         crypto-policies-policygenerators.patch
+#PATCH-FIX-OPENSUSE bsc#1209998 Mention the supported back-end policies
+Patch3:         crypto-policies-supported.patch
+#PATCH-FIX-OPENSUSE Revert a breaking change that introduces rh-allow-sha1-signatures
+Patch4:         crypto-policies-revert-rh-allow-sha1-signatures.patch
+#PATCH-FIX-OPENSUSE Remove version for pylint from Makefile
+Patch5:         crypto-policies-pylint.patch
+#PATCH-FIX-OPENSUSE Adpat the fips-mode-setup script for SUSE/openSUSE [jsc#PED-4578]
+Patch6:         crypto-policies-FIPS.patch
+#PATCH-FIX-OPENSUSE Skip NSS policy check if not installed mozilla-nss-tools [bsc#1211301]
+Patch7:         crypto-policies-nss.patch
+BuildRequires:  python3-base >= 3.6
+# The sequoia stuff needs python3-toml, removed until needed
+# BuildRequires:  python3-toml
+%if %{with manbuild}
+BuildRequires:  asciidoc
+%endif
+%if %{with testsuite}
+# The following packages are needed for the testsuite
+BuildRequires:  bind
+BuildRequires:  codespell
+BuildRequires:  gnutls >= 3.6.0
+BuildRequires:  java-devel
+BuildRequires:  krb5-devel
+BuildRequires:  libxslt
+BuildRequires:  mozilla-nss-tools
+BuildRequires:  openssl
+BuildRequires:  perl
+BuildRequires:  python-rpm-macros
+BuildRequires:  python3-coverage
+BuildRequires:  python3-devel >= 3.6
+BuildRequires:  python3-flake8
+BuildRequires:  python3-pylint
+BuildRequires:  python3-pytest
+BuildRequires:  perl(File::Copy)
+BuildRequires:  perl(File::Temp)
+BuildRequires:  perl(File::Which)
+BuildRequires:  perl(File::pushd)
+%endif
+%if 0%{?primary_python:1}
+Recommends:     crypto-policies-scripts
+%endif
+Conflicts:      gnutls < 3.7.3
+#Conflicts:      libreswan < 3.28
+Conflicts:      nss < 3.90.0
+#Conflicts:      openssh < 8.2p1
+#!BuildIgnore:  crypto-policies
+BuildArch:      noarch
+
+%description
+This package provides pre-built configuration files with
+cryptographic policies for various cryptographic back-ends,
+such as SSL/TLS libraries.
+
+%package scripts
+Summary:        Tool to switch between crypto policies
+Requires:       %{name} = %{version}-%{release}
+Recommends:     perl-Bootloader
+
+%description scripts
+This package provides a tool update-crypto-policies, which applies
+the policies provided by the crypto-policies package. These can be
+either the pre-built policies from the base package or custom policies
+defined in simple policy definition files.
+
+The package also provides a tool fips-mode-setup, which can be used
+to enable or disable the system FIPS mode.
+
+%prep
+%autosetup -p1 -n fedora-%{name}-%{version}
+
+# Make README.SUSE available for %%doc
+cp -p %{SOURCE1} .
+
+# Remove not needed policy generators
+find -name libreswan.py -delete
+find -name sequoia.py -delete
+
+%build
+export OPENSSL_CONF=''
+sed -i "s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = 'RequiredRSASize'/" \
+    python/policygenerators/openssh.py
+grep "MIN_RSA_DEFAULT = 'RequiredRSASize'" python/policygenerators/openssh.py
+%make_build
+
+%install
+mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/
+mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/
+mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/
+mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/state/
+mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/local.d/
+mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/
+mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/modules/
+mkdir -p -m 755 %{buildroot}%{_bindir}
+
+make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install
+
+install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config
+touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current
+touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol
+
+mkdir -p -m 755 %{buildroot}%{_mandir}/
+mkdir -p -m 755 %{buildroot}%{_mandir}/man7/
+mkdir -p -m 755 %{buildroot}%{_mandir}/man8/
+%if %{without manbuild}
+# Install the manpages from defined sources
+cp %{SOURCE2} %{buildroot}%{_mandir}/man7/
+cp %{SOURCE3} %{SOURCE4} %{SOURCE5} %{buildroot}%{_mandir}/man8/
+%endif
+
+# Install the executable scripts
+install -p -m 755 update-crypto-policies %{buildroot}%{_bindir}/
+install -p -m 755 fips-mode-setup %{buildroot}%{_bindir}/
+install -p -m 755 fips-finish-install %{buildroot}%{_bindir}/
+
+# Drop pre-generated GOST-ONLY policy, we do not need to ship them
+rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY
+
+# Drop FEDORA policies
+rm -rf %{buildroot}%{_datarootdir}/crypto-policies/*FEDORA*
+
+# Create back-end configs for mounting with read-only /etc/
+for d in LEGACY DEFAULT FUTURE FIPS BSI ; do
+    mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d
+    for f in %{buildroot}%{_datarootdir}/crypto-policies/$d/* ; do
+        ln $f %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d/$(basename $f .txt).config
+    done
+done
+
+for f in %{buildroot}%{_datarootdir}/crypto-policies/DEFAULT/* ; do
+    ln -sf %{_datarootdir}/crypto-policies/DEFAULT/$(basename $f) %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/$(basename $f .txt).config
+done
+
+# Fix shebang in scripts
+for f in %{buildroot}%{_datadir}/crypto-policies/python/*
+do
+  [ -f $f ] && sed -i "1s@#!.*python.*@#!$(realpath %__python3)@" $f
+done
+
+%py3_compile %{buildroot}%{_datadir}/crypto-policies/python
+
+# Install README.SUSE to %%doc
+install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/crypto-policies
+
+%check
+%if %{with testsuite}
+export OPENSSL_CONF=''
+%make_build test
+%make_build test-install test-fips-setup || :
+%endif
+
+%post -p <lua>
+if not posix.access("%{_sysconfdir}/crypto-policies/config") then
+    local policy = "DEFAULT"
+    local cf = io.open("/proc/sys/crypto/fips_enabled", "r")
+    if cf then
+        if cf:read() == "1" then
+            policy = "FIPS"
+        end
+        cf:close()
+    end
+    cf = io.open("%{_sysconfdir}/crypto-policies/config", "w")
+    if cf then
+        cf:write(policy.."\n")
+        cf:close()
+    end
+    cf = io.open("%{_sysconfdir}/crypto-policies/state/current", "w")
+    if cf then
+        cf:write(policy.."\n")
+        cf:close()
+    end
+    local policypath = "%{_datarootdir}/crypto-policies/"..policy
+    for fn in posix.files(policypath) do
+        if fn ~= "." and fn ~= ".." then
+            local backend = fn:gsub(".*/", ""):gsub("%%..*", "")
+            local cfgfn = "%{_sysconfdir}/crypto-policies/back-ends/"..backend..".config"
+            posix.unlink(cfgfn)
+            posix.symlink(policypath.."/"..fn, cfgfn)
+        end
+    end
+end
+
+%posttrans scripts
+%{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || :
+
+%files
+%license COPYING.LESSER
+%doc README.md NEWS CONTRIBUTING.md
+%doc %{_sysconfdir}/crypto-policies/README.SUSE
+
+%dir %{_sysconfdir}/crypto-policies/
+%dir %{_sysconfdir}/crypto-policies/back-ends/
+%dir %{_sysconfdir}/crypto-policies/state/
+%dir %{_sysconfdir}/crypto-policies/local.d/
+%dir %{_sysconfdir}/crypto-policies/policies/
+%dir %{_sysconfdir}/crypto-policies/policies/modules/
+%dir %{_datarootdir}/crypto-policies/
+
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config
+
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl_fips.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssh.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/nss.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/bind.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/java.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/krb5.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/sequoia.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/rpm-sequoia.config
+# %%verify(not mode) comes from the fact that these turn into symlinks and back to regular files at will.
+
+%ghost %{_sysconfdir}/crypto-policies/state/current
+%ghost %{_sysconfdir}/crypto-policies/state/CURRENT.pol
+
+%{_mandir}/man7/crypto-policies.7%{?ext_man}
+%{_datarootdir}/crypto-policies/LEGACY
+%{_datarootdir}/crypto-policies/DEFAULT
+%{_datarootdir}/crypto-policies/FUTURE
+%{_datarootdir}/crypto-policies/FIPS
+%{_datarootdir}/crypto-policies/BSI
+%{_datarootdir}/crypto-policies/EMPTY
+%{_datarootdir}/crypto-policies/back-ends
+%{_datarootdir}/crypto-policies/default-config
+%{_datarootdir}/crypto-policies/reload-cmds.sh
+%{_datarootdir}/crypto-policies/policies
+
+%files scripts
+%{_bindir}/update-crypto-policies
+%{_bindir}/fips-mode-setup
+%{_bindir}/fips-finish-install
+%{_mandir}/man8/update-crypto-policies.8%{?ext_man}
+%{_mandir}/man8/fips-mode-setup.8%{?ext_man}
+%{_mandir}/man8/fips-finish-install.8%{?ext_man}
+%{_datarootdir}/crypto-policies/python
+
+%changelog
--- a/fedora-crypto-policies-20230920.570ea89.tar.gz
+++ b/fedora-crypto-policies-20230920.570ea89.tar.gz
--- a/fips-finish-install.8.gz
+++ b/fips-finish-install.8.gz
--- a/fips-mode-setup.8.gz
+++ b/fips-mode-setup.8.gz
--- a/update-crypto-policies.8.gz
+++ b/update-crypto-policies.8.gz