From 7970d933e817455e1291d8eaa3aef364d1f9b585 Mon Sep 17 00:00:00 2001
From: Sandwich <sandwich@archworks.co>
Date: Sat, 21 Feb 2026 01:22:41 +0100
Subject: [PATCH] docs(cis): explain Fedora exclusion from crypto-policy
 configuration

---
 roles/cis/tasks/crypto.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/roles/cis/tasks/crypto.yml b/roles/cis/tasks/crypto.yml
index 48841e8..3e5fe5b 100644
--- a/roles/cis/tasks/crypto.yml
+++ b/roles/cis/tasks/crypto.yml
@@ -1,4 +1,6 @@
 ---
+# Fedora ships its own crypto-policies preset and update-crypto-policies
+# behaves differently; applying DEFAULT:NO-SHA1 can break package signing.
 - name: Configure System Cryptography Policy
   when: os in (os_family_rhel | difference(['fedora']))
   ansible.builtin.command: "{{ chroot_command }} /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1"