Upstream NSS just added policy support for rsa-pkcs, rsa-pss, and ecdsa as signature algorithms in NSS 3.59. crypto policies needs to add maps from the signature values to these new algorithm types. Without these new algorithms, rsa signatures will break when policies are installed. The challenge is we can't add these to crypto policies before NSS updates because nss-check-policy will fail (we really need to have an option for nss-check-policy to allow *NEW* unknown policies (sigh)). Anywaythe NSS 3.59 update needs to be coordinated with crypto policies.
Created attachment 1730246 [details] Add rsa-pss, rsa-pkcs, and ecdsa to the nss policies. This patch also disabled acting on the results of policy check so it can be added before the new NSS is included.
Upstream merge request: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/84
This bug appears to have been reported against 'rawhide' during the Fedora 34 development cycle. Changing version to 34.