docs(cis): explain Fedora exclusion from crypto-policy configuration

2026-02-21 01:22:41 +01:00
parent a123a32feb
commit 7970d933e8
1 changed files with 2 additions and 0 deletions
--- a/roles/cis/tasks/crypto.yml
+++ b/roles/cis/tasks/crypto.yml
@@ -1,4 +1,6 @@
 ---
+# Fedora ships its own crypto-policies preset and update-crypto-policies
+# behaves differently; applying DEFAULT:NO-SHA1 can break package signing.
 - name: Configure System Cryptography Policy
  when: os in (os_family_rhel | difference(['fedora']))
  ansible.builtin.command: "{{ chroot_command }} /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1"