-
Task
-
Resolution: Duplicate
-
Blocker
-
None
-
None
-
None
-
False
-
None
-
False
-
Testable
-
-
gnupg2-2.3.3-3.el9 recently added into CentOS 9 Stream disabled SHA-1 hashing algorithm https://bugzilla.redhat.com/show_bug.cgi?id=2070722. That broke verifying CentOS Stream RPM packages https://bugzilla.redhat.com/show_bug.cgi?id=2184640 because they are signed with 05b555b38483c65d PGP key which uses a self-signate based on SHA-1 hash algorithm:
gpg --list-packets /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
# off=0 ctb=99 tag=6 hlen=3 plen=525
:public key packet:
version 4, algo 1, created 1556896537, expires 0
pkey[0]: [4096 bits]
pkey[1]: [17 bits]
keyid: 05B555B38483C65D
# off=528 ctb=b4 tag=13 hlen=2 plen=58
:user ID packet: "CentOS (CentOS Official Signing Key) <security@centos.org>"
# off=588 ctb=89 tag=2 hlen=3 plen=567
:signature packet: algo 1, keyid 05B555B38483C65D
version 4, created 1556896537, md5len 0, sigclass 0x13
digest algo 2, begin of digest 8c eb
hashed subpkt 2 len 4 (sig created 2019-05-03)
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
hashed subpkt 21 len 5 (pref-hash-algos: 8 2 9 10 11)
hashed subpkt 22 len 2 (pref-zip-algos: 2 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (keyserver preferences: 80)
subpkt 16 len 8 (issuer key ID 05B555B38483C65D)
data: [4095 bits]
digest algo 2, for the signature, is SHA-1 (per
https://www.rfc-editor.org/rfc/rfc4880#section-9.4)
Because it's in line with RHEL 9 default crypto policy to exclude SHA-1 from signature verification, CentOS Stream 9 PGP key certificate needs to be replaced with new one which does not uses SHA-1.
Please replace CentOS Stream 9 GPG key certificate (/etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial) with a new one which does not use SHA-1. I recommend SHA-512 algorithm.
Maybe adding a new self-signature and removing the old from the same PGP key could fix it without a need of resigning all RPM packages.
- is related to
-
CS-1616 New signature
-
- Backlog
-