SHA-1 signatures will be distrusted beginning in Fedora Linux 39. This is part of the next installment of our periodic tightening of cryptographic defaults. The change has the potential to be significantly disruptive. We urge users and package maintainers to test their software by either previewing upcoming restrictive cryptographic policies or passively logging the offending applications and workflows starting from Fedora Linux36. Please refer to the Strong Crypto Settings 3 proposal and SHA1 signature guideance for more details on the plan and specific steps to take.

OpenSSL 3.0

Fedora Linux 36 comes with OpenSSL 3.0 as the primary OpenSSL package. It brings support for Crypto Providers interface. For more information on migrating from previous versions of OpenSSL, see the upstream Migration Guide.

authselect now requires explicit opt-out

Users that do not want use authselect to manage their nsswitch and PAM configuration must explicitly opt-out by calling authselect opt-out or removing /etc/authselect/authselect.conf. If you do not opt out, and make any changes to configuration generated by authselect without using the tool itself, any subsequent calls to authselect will overwrite your changes again.

This change is necessary to ensure authselect works Fedora CoreOS and other system using rpm-ostree.

GnuTLS allowlisting

Beginning in Fedora Linux 36, GnuTLS switches to an allowlist-based configuration method and offers an API to adjust system defaults for specific applications.

Keylime is now split into subpackages

The Keylime package has been split into role-specific subpackages (agent, registrar, verifier, and admin components). This makes it easier to deploy the Keylime agent in Fedora IoT and CoreOS spins, which in turn enables remote attestation without installing Keylime’s full dependencies.

Keylime now also allows the use of the alternative agent implementation written in Rust, which will eventually be preferred over the existing Python implementation in future releases.