diff --git a/roles/cis/tasks/crypto.yml b/roles/cis/tasks/crypto.yml
index 48841e8..3e5fe5b 100644
--- a/roles/cis/tasks/crypto.yml
+++ b/roles/cis/tasks/crypto.yml
@@ -1,4 +1,6 @@
 ---
+# Fedora ships its own crypto-policies preset and update-crypto-policies
+# behaves differently; applying DEFAULT:NO-SHA1 can break package signing.
 - name: Configure System Cryptography Policy
   when: os in (os_family_rhel | difference(['fedora']))
   ansible.builtin.command: "{{ chroot_command }} /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1"