I don't see SHA-1 in sigalgs on Fedora 36 LEGACY, which is likely a result of tightening openssl 3 SECLEVEL change. Some of the options are: 1. WONTFIX, not cool because we do want SHA-1 in LEGACY going forward, even for F39 2. modify SECLEVEL=1 to include it, not cool because it's a deviation of upstream 3. introduce new control to enable SHA-1 in LEGACY, not cool because new control is kinda late to introduce post-F36 beta, but we'll need that for F37+ anyway.
related: bz2070977
We'll probably go for #3 and backport the change in bz2070977 that we're going to do for f37 anyway.
With https://bodhi.fedoraproject.org/updates/FEDORA-2022-d906a1fd24, crypto-policies needs to set rh-allow-sha1-signatures=yes and SECLEVEL=1 for SHA-1 to work.
To clarify: rh-allow-sha1-signatures=yes and SECLEVEL=1 will allow SHA-1 in TLS. SHA-1 signatures will work outside of TLS with rh-allow-sha1-signatures=yes (or not set) and SECLEVEL=2.
I want to check if this patch helps with https://bugzilla.redhat.com/show_bug.cgi?id=2069239 -- how/where do I need to set rh-allow-sha1-signatures=yes to see if that might help (or is that the default now anyways)?
See https://bugzilla.redhat.com/show_bug.cgi?id=2070977#c2. The default for rh-allow-sha1-signatures is yes on F36. I didn't check what crypto-policies currently sets on F36, but if it sets SECLEVEL=1, as I believe it does in LEGACY, that combination should already allow SHA-1 signatures in TLS.
On F36 with crypto-policies 20220203-2.git112f859.fc36, update-crypto-policies --set LEGACY already sets SECLEVEL=1, and rh-allow-sha1-signatures=yes is the default, so this is fixed.