From 09d6be7f68958901661596b4aa81613ef4180a01 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Wed, 13 Nov 2024 16:51:51 +0000
Subject: [PATCH] CI: Use FEDORA40 crypto policy in Fedora 41

Fedora 41 distrusts SHA-1 signatures by default. Switching to this policy is
Fedora's recommended way of re-enabling support for at least the next several
releases.

A few references:

https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer
https://fedoraproject.org/wiki/SHA1SignaturesGuidance
https://www.redhat.com/en/blog/rhel-security-sha-1-package-signatures-distrusted-rhel-9
---
 ci/fedora-41/Dockerfile | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ci/fedora-41/Dockerfile b/ci/fedora-41/Dockerfile
index 54a3f8a463..7551a2739f 100644
--- a/ci/fedora-41/Dockerfile
+++ b/ci/fedora-41/Dockerfile
@@ -28,6 +28,11 @@ RUN dnf -y install \
     swig \
     which \
     zlib-devel \
+    crypto-policies-scripts \
   && dnf clean all && rm -rf /var/cache/dnf
 
 RUN pip3 install websockets junit2html
+
+# Required to allow validation of certificates with SHA1 signatures
+# See: https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer
+RUN update-crypto-policies --set FEDORA40