From de5b2adaabbc928c8fd396f18ed22fb7a9737a28 Mon Sep 17 00:00:00 2001
From: Richard Hughes <richard@hughsie.com>
Date: Wed, 28 Dec 2022 09:49:11 +0000
Subject: [PATCH] Never allow using SHA-1 for checksum validation

---
 libfwupdplugin/fu-cabinet.c | 6 ++++++
 src/fu-engine.c             | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/libfwupdplugin/fu-cabinet.c b/libfwupdplugin/fu-cabinet.c
index 733cf418a..d11fda5a7 100644
--- a/libfwupdplugin/fu-cabinet.c
+++ b/libfwupdplugin/fu-cabinet.c
@@ -72,6 +72,12 @@ fu_cabinet_init(FuCabinet *self)
 	self->builder = xb_builder_new();
 	self->jcat_file = jcat_file_new();
 	self->jcat_context = jcat_context_new();
+#if LIBJCAT_CHECK_VERSION(0, 1, 13)
+	jcat_context_blob_kind_allow(self->jcat_context, JCAT_BLOB_KIND_SHA256);
+	jcat_context_blob_kind_allow(self->jcat_context, JCAT_BLOB_KIND_SHA512);
+	jcat_context_blob_kind_allow(self->jcat_context, JCAT_BLOB_KIND_PKCS7);
+	jcat_context_blob_kind_allow(self->jcat_context, JCAT_BLOB_KIND_GPG);
+#endif
 }
 
 /**
diff --git a/src/fu-engine.c b/src/fu-engine.c
index 8a0db6727..a05ca1a5b 100644
--- a/src/fu-engine.c
+++ b/src/fu-engine.c
@@ -8398,6 +8398,12 @@ fu_engine_init(FuEngine *self)
 
 	/* setup Jcat context */
 	self->jcat_context = jcat_context_new();
+#if LIBJCAT_CHECK_VERSION(0, 1, 13)
+	jcat_context_blob_kind_allow(self->jcat_context, JCAT_BLOB_KIND_SHA256);
+	jcat_context_blob_kind_allow(self->jcat_context, JCAT_BLOB_KIND_SHA512);
+	jcat_context_blob_kind_allow(self->jcat_context, JCAT_BLOB_KIND_PKCS7);
+	jcat_context_blob_kind_allow(self->jcat_context, JCAT_BLOB_KIND_GPG);
+#endif
 	keyring_path = fu_path_from_kind(FU_PATH_KIND_LOCALSTATEDIR_PKG);
 	jcat_context_set_keyring_path(self->jcat_context, keyring_path);
 	sysconfdir = fu_path_from_kind(FU_PATH_KIND_SYSCONFDIR);