Uploaded image for project: 'CentOS Stream Pipeline'
  1. CentOS Stream Pipeline
  2. CS-1527

Change CentOS 9 Stream PGP key not to be signed with SHA-1

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Duplicate
    • Icon: Blocker Blocker
    • None
    • None
    • Pipeline
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • Testable

      gnupg2-2.3.3-3.el9 recently added into CentOS 9 Stream disabled SHA-1 hashing algorithm https://bugzilla.redhat.com/show_bug.cgi?id=2070722. That broke verifying CentOS Stream RPM packages https://bugzilla.redhat.com/show_bug.cgi?id=2184640 because they are signed with 05b555b38483c65d PGP key which uses a self-signate based on SHA-1 hash algorithm:

      gpg --list-packets /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
# off=0 ctb=99 tag=6 hlen=3 plen=525
:public key packet:
        version 4, algo 1, created 1556896537, expires 0
        pkey[0]: [4096 bits]
        pkey[1]: [17 bits]
        keyid: 05B555B38483C65D
# off=528 ctb=b4 tag=13 hlen=2 plen=58
:user ID packet: "CentOS (CentOS Official Signing Key) <security@centos.org>"
# off=588 ctb=89 tag=2 hlen=3 plen=567
:signature packet: algo 1, keyid 05B555B38483C65D
        version 4, created 1556896537, md5len 0, sigclass 0x13
        digest algo 2, begin of digest 8c eb
        hashed subpkt 2 len 4 (sig created 2019-05-03)
        hashed subpkt 27 len 1 (key flags: 03)
        hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
        hashed subpkt 21 len 5 (pref-hash-algos: 8 2 9 10 11)
        hashed subpkt 22 len 2 (pref-zip-algos: 2 1)
        hashed subpkt 30 len 1 (features: 01)
        hashed subpkt 23 len 1 (keyserver preferences: 80)
        subpkt 16 len 8 (issuer key ID 05B555B38483C65D)
        data: [4095 bits]

digest algo 2, for the signature, is SHA-1 (per
https://www.rfc-editor.org/rfc/rfc4880#section-9.4)

      Because it's in line with RHEL 9 default crypto policy to exclude SHA-1 from signature verification, CentOS Stream 9 PGP key certificate needs to be replaced with new one which does not uses SHA-1.

      Please replace CentOS Stream 9 GPG key certificate (/etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial) with a new one which does not use SHA-1. I recommend SHA-512 algorithm.

      Maybe adding a new self-signature and removing the old from the same PGP key could fix it without a need of resigning all RPM packages.

              Unassigned Unassigned
              rhn-support-ppisar Petr Pisar
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: