-
Task
-
Resolution: Duplicate
-
Blocker
-
None
-
None
-
None
-
False
-
None
-
False
-
Testable
-
-
gnupg2-2.3.3-3.el9 recently added into CentOS 9 Stream disabled SHA-1 hashing algorithm https://bugzilla.redhat.com/show_bug.cgi?id=2070722. That broke verifying CentOS Stream RPM packages https://bugzilla.redhat.com/show_bug.cgi?id=2184640 because they are signed with 05b555b38483c65d PGP key which uses a self-signate based on SHA-1 hash algorithm:
gpg --list-packets /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial # off=0 ctb=99 tag=6 hlen=3 plen=525 :public key packet: version 4, algo 1, created 1556896537, expires 0 pkey[0]: [4096 bits] pkey[1]: [17 bits] keyid: 05B555B38483C65D # off=528 ctb=b4 tag=13 hlen=2 plen=58 :user ID packet: "CentOS (CentOS Official Signing Key) <security@centos.org>" # off=588 ctb=89 tag=2 hlen=3 plen=567 :signature packet: algo 1, keyid 05B555B38483C65D version 4, created 1556896537, md5len 0, sigclass 0x13 digest algo 2, begin of digest 8c eb hashed subpkt 2 len 4 (sig created 2019-05-03) hashed subpkt 27 len 1 (key flags: 03) hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2) hashed subpkt 21 len 5 (pref-hash-algos: 8 2 9 10 11) hashed subpkt 22 len 2 (pref-zip-algos: 2 1) hashed subpkt 30 len 1 (features: 01) hashed subpkt 23 len 1 (keyserver preferences: 80) subpkt 16 len 8 (issuer key ID 05B555B38483C65D) data: [4095 bits] digest algo 2, for the signature, is SHA-1 (per https://www.rfc-editor.org/rfc/rfc4880#section-9.4)
Because it's in line with RHEL 9 default crypto policy to exclude SHA-1 from signature verification, CentOS Stream 9 PGP key certificate needs to be replaced with new one which does not uses SHA-1.
Please replace CentOS Stream 9 GPG key certificate (/etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial) with a new one which does not use SHA-1. I recommend SHA-512 algorithm.
Maybe adding a new self-signature and removing the old from the same PGP key could fix it without a need of resigning all RPM packages.
- is related to
-
CS-1616 New signature
- Backlog