diff --git a/README.SUSE b/README.SUSE
index e34c3c5..46ae71a 100644
--- a/README.SUSE
+++ b/README.SUSE
@@ -1,2 +1,6 @@
-Currently only OpenSSL and GnuTLS policies are supported.
+Currently, the supported back-end policies are:
+ * OpenSSL library
+ * GnuTLS library
+ * OpenJDK (only for java-1_8_0-openjdk and java-11-openjdk)
+
The rest of the modules ignore the policy settings for the time being.
diff --git a/_service b/_service
index d9ed9a5..9b955e3 100644
--- a/_service
+++ b/_service
@@ -4,7 +4,7 @@
git
%cd.%h
enable
- c9d86d1154c4b286c9be3d5e9e32451df6f64e19
+ 3d08ae70557e5a86686e5b24e443731bfdf232bb
*.tar
diff --git a/_servicedata b/_servicedata
index e9d2fc7..424997b 100644
--- a/_servicedata
+++ b/_servicedata
@@ -1,4 +1,4 @@
https://gitlab.com/redhat-crypto/fedora-crypto-policies.git
- c9d86d1154c4b286c9be3d5e9e32451df6f64e19
\ No newline at end of file
+ 3d08ae70557e5a86686e5b24e443731bfdf232bb
\ No newline at end of file
diff --git a/crypto-policies-FIPS.patch b/crypto-policies-FIPS.patch
index acbcea7..5a98b37 100644
--- a/crypto-policies-FIPS.patch
+++ b/crypto-policies-FIPS.patch
@@ -1,7 +1,7 @@
-Index: fedora-crypto-policies/Makefile
+Index: fedora-crypto-policies-20221214.a4c31a3/Makefile
===================================================================
---- fedora-crypto-policies.orig/Makefile
-+++ fedora-crypto-policies/Makefile
+--- fedora-crypto-policies-20221214.a4c31a3.orig/Makefile
++++ fedora-crypto-policies-20221214.a4c31a3/Makefile
@@ -5,8 +5,8 @@ MANDIR?=/usr/share/man
CONFDIR?=/etc/crypto-policies
DESTDIR?=
@@ -13,11 +13,11 @@ Index: fedora-crypto-policies/Makefile
NUM_PROCS = $$(getconf _NPROCESSORS_ONLN)
PYVERSION = -3
DIFFTOOL?=meld
-Index: fedora-crypto-policies/crypto-policies.7.txt
+Index: fedora-crypto-policies-20221214.a4c31a3/crypto-policies.7.txt
===================================================================
---- fedora-crypto-policies.orig/crypto-policies.7.txt
-+++ fedora-crypto-policies/crypto-policies.7.txt
-@@ -144,9 +144,6 @@ PROVIDED POLICIES
+--- fedora-crypto-policies-20221214.a4c31a3.orig/crypto-policies.7.txt
++++ fedora-crypto-policies-20221214.a4c31a3/crypto-policies.7.txt
+@@ -153,9 +153,6 @@ PROVIDED POLICIES
*FIPS*::
A policy to aid conformance to the *FIPS 140-2* requirements.
@@ -27,7 +27,7 @@ Index: fedora-crypto-policies/crypto-policies.7.txt
* MACs: all *HMAC* with *SHA1* or better
* Curves: all prime >= 256 bits
-@@ -255,12 +252,6 @@ COMMANDS
+@@ -264,12 +261,6 @@ COMMANDS
back ends and allows the system administrator to change the active
cryptographic policy.
@@ -40,7 +40,7 @@ Index: fedora-crypto-policies/crypto-policies.7.txt
NOTES
-----
-@@ -427,7 +418,7 @@ FILES
+@@ -447,7 +438,7 @@ FILES
SEE ALSO
--------
@@ -49,10 +49,10 @@ Index: fedora-crypto-policies/crypto-policies.7.txt
AUTHOR
-Index: fedora-crypto-policies/python/update-crypto-policies.py
+Index: fedora-crypto-policies-20221214.a4c31a3/python/update-crypto-policies.py
===================================================================
---- fedora-crypto-policies.orig/python/update-crypto-policies.py
-+++ fedora-crypto-policies/python/update-crypto-policies.py
+--- fedora-crypto-policies-20221214.a4c31a3.orig/python/update-crypto-policies.py
++++ fedora-crypto-policies-20221214.a4c31a3/python/update-crypto-policies.py
@@ -344,16 +344,12 @@ def apply_policy(pconfig, profile=None,
eprint("Warning: Using 'update-crypto-policies --set FIPS' "
"is not sufficient for")
diff --git a/crypto-policies-no-build-manpages.patch b/crypto-policies-no-build-manpages.patch
index 61f504b..7e09857 100644
--- a/crypto-policies-no-build-manpages.patch
+++ b/crypto-policies-no-build-manpages.patch
@@ -1,28 +1,28 @@
-Index: fedora-crypto-policies/Makefile
+Index: fedora-crypto-policies-20230420.3d08ae7/Makefile
===================================================================
---- fedora-crypto-policies.orig/Makefile
-+++ fedora-crypto-policies/Makefile
-@@ -22,9 +22,9 @@ install: $(MANPAGES)
+--- fedora-crypto-policies-20230420.3d08ae7.orig/Makefile
++++ fedora-crypto-policies-20230420.3d08ae7/Makefile
+@@ -28,9 +28,9 @@ install: $(MANPAGES)
mkdir -p $(DESTDIR)$(MANDIR)/man7
mkdir -p $(DESTDIR)$(MANDIR)/man8
mkdir -p $(DESTDIR)$(BINDIR)
- install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7
- install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8
- install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR)
-+# install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7
-+# install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8
-+# install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR)
++ # install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7
++ # install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8
++ # install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR)
mkdir -p $(DESTDIR)$(DIR)/
install -p -m 644 default-config $(DESTDIR)$(DIR)
install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR)
-@@ -106,8 +106,8 @@ clean:
+@@ -114,8 +114,8 @@ clean:
rm -rf output
%: %.txt
-- asciidoc.py -v -d manpage -b docbook $<
-- xsltproc --nonet -o $@ /usr/share/asciidoc/docbook-xsl/manpage.xsl $@.xml
-+ # asciidoc -v -d manpage -b docbook $<
-+ # xsltproc --nonet -o $@ /etc/asciidoc/docbook-xsl/manpage.xsl $@.xml
+- $(ASCIIDOC) -v -d manpage -b docbook $<
+- xsltproc --nonet -o $@ ${MANPAGEXSL} $@.xml
++ #$(ASCIIDOC) -v -d manpage -b docbook $<
++ #xsltproc --nonet -o $@ ${MANPAGEXSL} $@.xml
dist:
rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies
diff --git a/crypto-policies-policygenerators.patch b/crypto-policies-policygenerators.patch
new file mode 100644
index 0000000..d5e2eb0
--- /dev/null
+++ b/crypto-policies-policygenerators.patch
@@ -0,0 +1,40 @@
+Index: fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/__init__.py
+===================================================================
+--- fedora-crypto-policies-20230420.3d08ae7.orig/python/policygenerators/__init__.py
++++ fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/__init__.py
+@@ -8,15 +8,15 @@ from .gnutls import GnuTLSGenerator
+ from .java import JavaGenerator
+ from .java import JavaSystemGenerator
+ from .krb5 import KRB5Generator
+-from .libreswan import LibreswanGenerator
++#from .libreswan import LibreswanGenerator
+ from .libssh import LibsshGenerator
+ from .nss import NSSGenerator
+ from .openssh import OpenSSHClientGenerator
+ from .openssh import OpenSSHServerGenerator
+ from .openssl import OpenSSLConfigGenerator
+ from .openssl import OpenSSLGenerator
+-from .sequoia import SequoiaGenerator
+-from .sequoia import RPMSequoiaGenerator
++#from .sequoia import SequoiaGenerator
++#from .sequoia import RPMSequoiaGenerator
+
+ __all__ = [
+ 'BindGenerator',
+@@ -24,13 +24,13 @@ __all__ = [
+ 'JavaGenerator',
+ 'JavaSystemGenerator',
+ 'KRB5Generator',
+- 'LibreswanGenerator',
++# 'LibreswanGenerator',
+ 'LibsshGenerator',
+ 'NSSGenerator',
+ 'OpenSSHClientGenerator',
+ 'OpenSSHServerGenerator',
+ 'OpenSSLConfigGenerator',
+ 'OpenSSLGenerator',
+- 'SequoiaGenerator',
+- 'RPMSequoiaGenerator',
++# 'SequoiaGenerator',
++# 'RPMSequoiaGenerator',
+ ]
diff --git a/crypto-policies-rpmlintrc b/crypto-policies-rpmlintrc
new file mode 100644
index 0000000..6fdbe70
--- /dev/null
+++ b/crypto-policies-rpmlintrc
@@ -0,0 +1,3 @@
+addFilter(".*files-duplicate.*")
+addFilter(".*zero-length.*")
+addFilter(".non-conffile-in-etc.*")
diff --git a/crypto-policies-supported.patch b/crypto-policies-supported.patch
new file mode 100644
index 0000000..1867856
--- /dev/null
+++ b/crypto-policies-supported.patch
@@ -0,0 +1,37 @@
+Index: fedora-crypto-policies-20230420.3d08ae7/update-crypto-policies.8.txt
+===================================================================
+--- fedora-crypto-policies-20230420.3d08ae7.orig/update-crypto-policies.8.txt
++++ fedora-crypto-policies-20230420.3d08ae7/update-crypto-policies.8.txt
+@@ -54,23 +54,23 @@ are configured to follow the default pol
+ The generated back-end policies will be placed in /etc/crypto-policies/back-ends.
+ Currently the supported back-ends (and directive scopes they respect) are:
+
+-* GnuTLS library (GnuTLS, SSL, TLS)
++* GnuTLS library (GnuTLS, SSL, TLS) (Supported)
+
+-* OpenSSL library (OpenSSL, SSL, TLS)
++* OpenSSL library (OpenSSL, SSL, TLS) (Supported)
+
+-* NSS library (NSS, SSL, TLS)
++* NSS library (NSS, SSL, TLS) (Not supported)
+
+-* OpenJDK (java-tls, SSL, TLS)
++* OpenJDK (java-tls, SSL, TLS) (Supported only for java-1_8_0-openjdk and java-11-openjdk)
+
+-* Libkrb5 (krb5, kerberos)
++* Libkrb5 (krb5, kerberos) (Not supported)
+
+-* BIND (BIND, DNSSec)
++* BIND (BIND, DNSSec) (Not supported)
+
+-* OpenSSH (OpenSSH, SSH)
++* OpenSSH (OpenSSH, SSH) (Not supported)
+
+-* Libreswan (libreswan, IKE, IPSec)
++* Libreswan (libreswan, IKE, IPSec) (Not supported)
+
+-* libssh (libssh, SSH)
++* libssh (libssh, SSH) (Not supported)
+
+ Applications and languages which rely on any of these back-ends will follow
+ the system policies as well. Examples are apache httpd, nginx, php, and
diff --git a/crypto-policies-test_supported_modules_only.patch b/crypto-policies-test_supported_modules_only.patch
deleted file mode 100644
index c2f1a90..0000000
--- a/crypto-policies-test_supported_modules_only.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Index: fedora-crypto-policies/Makefile
-===================================================================
---- fedora-crypto-policies.orig/Makefile
-+++ fedora-crypto-policies/Makefile
-@@ -56,8 +56,6 @@ check:
- tests/openssl.pl
- tests/gnutls.pl
- tests/nss.py
-- tests/java.pl
-- tests/krb5.py
- top_srcdir=. tests/update-crypto-policies.sh
-
- # Alternative, equivalent ways to write the same policies
diff --git a/crypto-policies.7.gz b/crypto-policies.7.gz
index d8cc82c..40ad731 100644
--- a/crypto-policies.7.gz
+++ b/crypto-policies.7.gz
@@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
-oid sha256:cbc5e573f2bd5dad2e405f9de35cc94c469d434b466b40890d87400f7f4cb8c1
-size 6127
+oid sha256:e0f927cbf526fbd0bec4eaf6b2456a6d148d42abdfb25978c71ede20b3a5e2ce
+size 6770
diff --git a/crypto-policies.changes b/crypto-policies.changes
index efdf80e..4eef770 100644
--- a/crypto-policies.changes
+++ b/crypto-policies.changes
@@ -1,3 +1,71 @@
+-------------------------------------------------------------------
+Mon May 8 09:45:45 UTC 2023 - Pedro Monreal
+
+- Update the update-crypto-policies(8) man pages and README.SUSE
+ to mention the supported back-end policies. [bsc#1209998]
+ * Add crypto-policies-supported.patch
+
+-------------------------------------------------------------------
+Mon May 08 06:32:49 UTC 2023 - Pedro Monreal
+
+- Update to version 20230420.3d08ae7:
+ * openssl, alg_lists: add brainpool support
+ * openssl: set Groups explicitly
+ * codespell: ignore aNULL
+ * rpm-sequoia: allow 1024 bit DSA and SHA-1 per FeSCO decision 2960
+ * sequoia: add separate rpm-sequoia backend
+ * crypto-policies.7: state upfront that FUTURE is not so interoperable
+ * Makefile: update for asciidoc 10
+ * Skip the LibreswanGenerator and SequoiaGenerator:
+ - Add crypto-policies-policygenerators.patch
+ * Remove crypto-policies-test_supported_modules_only.patch
+ * Rebase crypto-policies-no-build-manpages.patch
+
+-------------------------------------------------------------------
+Fri Jan 20 09:25:22 UTC 2023 - Pedro Monreal
+
+- Update to version 20221214.a4c31a3:
+ * bind: expand the list of disableable algorithms
+ * libssh: Add support for openssh fido keys
+ * .gitlab-ci.yml: install krb5-devel for krb5-config
+ * sequoia: check using sequoia-policy-config-check
+ * sequoia: introduce new back-end
+ * Makefile: support overriding asciidoc executable name
+ * openssh: make none and auto explicit and different
+ * openssh: autodetect and allow forcing RequiredRSASize presence/name
+ * openssh: remove _pre_8_5_ssh
+ * pylintrc: update
+ * Revert "disable SHA-1 further for a Fedora 38 Rawhide "jump scare"..."
+ * disable SHA-1 further for a Fedora 38 Rawhide "jump scare"...
+ * Makefile: exclude built manpages from codespell
+ * add openssh HostbasedAcceptedAlgorithms
+ * openssh: add RSAMinSize option following min_rsa_size
+ * Revert ".gitlab-ci.yml: skip pylint (bz2069837)"
+ * docs: add customization recommendation
+ * tests/java: fix java.security.disableSystemPropertiesFile=true
+ * policies: add FEDORA38 and TEST-FEDORA39
+ * bind: control ED25519/ED448
+ * openssl: disable SHA-1 signatures in FUTURE/NO-SHA1
+ * .gitlab-ci.yml: skip pylint (bz2069837)
+ * openssh: add support for sntrup761x25519-sha512@openssh.com
+ * fips-mode-setup: fix one unrelated check to intended state
+ * fips-mode-setup, fips-finish-install: abandon /etc/system-fips
+ * Makefile: fix alt-policy test of LEGACY:AD-SUPPORT
+ * fips-mode-setup: catch more inconsistencies, clarify --check
+ * fips-mode-setup: improve handling FIPS plus subpolicies
+ * .gitlab-ci.yml: use rawhide so that we get gnutls 3.7.3
+ * gnutls: enable SHAKE, needed for Ed448
+ * gnutls: use allowlisting
+ * openssl: add newlines at the end of the output
+ * FIPS:OSPP: relax -ECDSA-SHA2-512, -FFDHE-*
+ * fips-mode-setup, fips-finish-install: call zipl more often
+ * Add crypto-policies-rpmlintrc file to avoid files-duplicate,
+ zero-length and non-conffile-in-etc warnings.
+ * Rebase patches:
+ - crypto-policies-FIPS.patch
+ - crypto-policies-no-build-manpages.patch
+ * Update README.SUSE
+
-------------------------------------------------------------------
Fri Sep 24 11:30:21 UTC 2021 - Pedro Monreal
diff --git a/crypto-policies.spec b/crypto-policies.spec
index b137da1..ff3a1f8 100644
--- a/crypto-policies.spec
+++ b/crypto-policies.spec
@@ -1,7 +1,7 @@
#
# spec file for package crypto-policies
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -16,9 +16,13 @@
#
+# testsuite is disabled by default
+%bcond_with testsuite
+# manbuild is disabled by default
+%bcond_with manbuild
%global _python_bytecompile_extra 0
Name: crypto-policies
-Version: 20210917.c9d86d1
+Version: 20230420.3d08ae7
Release: 0
Summary: System-wide crypto policies
License: LGPL-2.1-or-later
@@ -28,27 +32,41 @@ Source0: fedora-%{name}-%{version}.tar.gz
Source1: README.SUSE
Source2: crypto-policies.7.gz
Source3: update-crypto-policies.8.gz
-Patch0: crypto-policies-test_supported_modules_only.patch
+Source4: crypto-policies-rpmlintrc
+%if %{without manbuild}
+# To reduce the build dependencies in Ring0, we have to compile the
+# man pages locally (use --with testsuite) and add crypto-policies.7.gz
+# and update-crypto-policies.8.gz as sources.
Patch1: crypto-policies-no-build-manpages.patch
+%endif
Patch2: crypto-policies-FIPS.patch
-BuildRequires: python3-base
-# For testing, the following buildrequires need to be uncommented.
-# BuildRequires: asciidoc
-# BuildRequires: bind
-# BuildRequires: gnutls >= 3.6.0
-# BuildRequires: java-devel
-# BuildRequires: libxslt
-# BuildRequires: openssl
-# BuildRequires: perl
-# BuildRequires: python3-coverage
-# BuildRequires: python3-devel >= 3.6
-# BuildRequires: python3-flake8
-# BuildRequires: python3-pylint
-# BuildRequires: python3-pytest
-# BuildRequires: perl(File::Copy)
-# BuildRequires: perl(File::Temp)
-# BuildRequires: perl(File::Which)
-# BuildRequires: perl(File::pushd)
+Patch3: crypto-policies-policygenerators.patch
+Patch4: crypto-policies-supported.patch
+BuildRequires: python3-base >= 3.6
+# The sequoia stuff needs python3-toml, removed until needed
+# BuildRequires: python3-toml
+%if %{with manbuild}
+BuildRequires: asciidoc
+%endif
+%if %{with testsuite}
+# The following buildrequires are needed for the testsuite
+BuildRequires: bind
+BuildRequires: gnutls >= 3.6.0
+BuildRequires: java-devel
+BuildRequires: krb5-devel
+BuildRequires: libxslt
+BuildRequires: openssl
+BuildRequires: perl
+BuildRequires: python3-coverage
+BuildRequires: python3-devel >= 3.6
+BuildRequires: python3-flake8
+BuildRequires: python3-pylint
+BuildRequires: python3-pytest
+BuildRequires: perl(File::Copy)
+BuildRequires: perl(File::Temp)
+BuildRequires: perl(File::Which)
+BuildRequires: perl(File::pushd)
+%endif
Recommends: crypto-policies-scripts
Conflicts: gnutls < 3.7.0
#Conflicts: libreswan < 3.28
@@ -75,7 +93,15 @@ defined in simple policy definition files.
%prep
%autosetup -p1 -n fedora-%{name}-%{version}
+# Make README.SUSE available for %%doc
+cp -p %{SOURCE1} .
+
+# Remove not needed policy generators
+find -name libreswan.py -delete
+find -name sequoia.py -delete
+
%build
+export OPENSSL_CONF=''
%make_build
%install
@@ -89,28 +115,31 @@ mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/modules/
mkdir -p -m 755 %{buildroot}%{_bindir}
make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install
+install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config
+touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current
+touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol
-# Install the manpages
+%if %{without manbuild}
+# Install the manpages from defined sources
mkdir -p -m 755 %{buildroot}%{_mandir}/
mkdir -p -m 755 %{buildroot}%{_mandir}/man7/
mkdir -p -m 755 %{buildroot}%{_mandir}/man8/
cp %{SOURCE2} %{buildroot}%{_mandir}/man7/
cp %{SOURCE3} %{buildroot}%{_mandir}/man8/
+%endif
-# Install the executable files
+# Install the executable scripts
install -p -m 755 update-crypto-policies %{buildroot}%{_bindir}/
-install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config
-touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current
-touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol
+# Remove the fips-related scripts and man pages
+find -type f -name "*fips*" -delete
+find %{buildroot} -type f -name "*fips*" -delete
-# Drop pre-generated GOST-ONLY policy, we do not need to ship the files
+# Drop pre-generated GOST-ONLY policy, we do not need to ship them
rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY
-# Remove fips-finish-install and test-fips-setup scripts and man
-find -type f -name fips-finish-install -delete
-find -type f -name fips-finish-install.8.txt -delete
-find -type f -name test-fips-setup.sh -delete
+# Drop FEDORA policies
+rm -rf %{buildroot}%{_datarootdir}/crypto-policies/*FEDORA*
# Create back-end configs for mounting with read-only /etc/
for d in LEGACY DEFAULT FUTURE FIPS ; do
@@ -126,10 +155,14 @@ done
%py3_compile %{buildroot}%{_datadir}/crypto-policies/python
-cp %{SOURCE1} %{buildroot}%{_sysconfdir}/crypto-policies
+# Install README.SUSE to %%doc
+install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/crypto-policies
%check
+%if %{with testsuite}
+export OPENSSL_CONF=''
%make_build test || :
+%endif
%post -p
if not posix.access("%{_sysconfdir}/crypto-policies/config") then
@@ -153,7 +186,7 @@ if not posix.access("%{_sysconfdir}/crypto-policies/config") then
end
local policypath = "%{_datarootdir}/crypto-policies/"..policy
for fn in posix.files(policypath) do
- if fn ~= "." and fn ~= ".." then
+ if fn ~= "." and fn ~= ".." then
local backend = fn:gsub(".*/", ""):gsub("%%..*", "")
local cfgfn = "%{_sysconfdir}/crypto-policies/back-ends/"..backend..".config"
posix.unlink(cfgfn)
@@ -166,6 +199,10 @@ end
%{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || :
%files
+%license COPYING.LESSER
+%doc README.md NEWS CONTRIBUTING.md
+%doc %{_sysconfdir}/crypto-policies/README.SUSE
+
%dir %{_sysconfdir}/crypto-policies/
%dir %{_sysconfdir}/crypto-policies/back-ends/
%dir %{_sysconfdir}/crypto-policies/state/
@@ -174,21 +211,23 @@ end
%dir %{_sysconfdir}/crypto-policies/policies/modules/
%dir %{_datarootdir}/crypto-policies/
-%{_sysconfdir}/crypto-policies/README.SUSE
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssl.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssh.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/nss.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/bind.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/java.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/krb5.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libssh.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssh.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/nss.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/bind.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/java.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/krb5.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/sequoia.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/rpm-sequoia.config
+# %%verify(not mode) comes from the fact that these turn into symlinks and back to regular files at will.
%ghost %{_sysconfdir}/crypto-policies/state/current
%ghost %{_sysconfdir}/crypto-policies/state/CURRENT.pol
@@ -204,8 +243,6 @@ end
%{_datarootdir}/crypto-policies/reload-cmds.sh
%{_datarootdir}/crypto-policies/policies
-%license COPYING.LESSER
-
%files scripts
%{_bindir}/update-crypto-policies
%{_mandir}/man8/update-crypto-policies.8%{?ext_man}
diff --git a/fedora-crypto-policies-20210917.c9d86d1.tar.gz b/fedora-crypto-policies-20210917.c9d86d1.tar.gz
deleted file mode 100644
index 2203014..0000000
--- a/fedora-crypto-policies-20210917.c9d86d1.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d5e57503a00c247d549aab27de2a3d96c7d8756910939aec5acd38df6e73c252
-size 75022
diff --git a/fedora-crypto-policies-20230420.3d08ae7.tar.gz b/fedora-crypto-policies-20230420.3d08ae7.tar.gz
new file mode 100644
index 0000000..e3a354d
--- /dev/null
+++ b/fedora-crypto-policies-20230420.3d08ae7.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0554a9e3965970a2233dee8770fe414527e073b80106db89a1170fa845c3903b
+size 85811
diff --git a/update-crypto-policies.8.gz b/update-crypto-policies.8.gz
index 98fec27..8261690 100644
--- a/update-crypto-policies.8.gz
+++ b/update-crypto-policies.8.gz
@@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
-oid sha256:0151e1a8a5e4bb626284b6a2f93824f849b8d070ed017b6995a20a90f9180b2b
-size 4018
+oid sha256:ce03018475d3b1e4cb06951fa1c13017f13fa6600b3b10e04912af5e3e426692
+size 4179