Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-114837

RPM displays multiple "warning: Signature not supported. Hash algorithm SHA1 not available." without printing which package is faulty

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • rhel-9.8
    • rhel-9.6
    • rpm
    • rpm-4.16.1.3-40.el9
    • No
    • Moderate
    • rhel-swm
    • 14
    • 0
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Hide
      • When opening the rpmdb (e.g. during a query operation or via rpmkeys -K), a warning line is printed on stderr that contains the gpg-pubkey NEVRA of the affected public key that uses an unsupported (disabled) digest algorithm, for example:
      warning: Signature not supported. Hash algorithm SHA1 not available.
warning: Could not load key gpg-pubkey-69615150-692465eb

      This can be tested easily with something like:

      $ gpg --gen-key --cert-digest-algo SHA1
$ gpg --export --armor joe@doe.com > joe.pub
$ rpmsign --addsign --define '_gpg_name joe@doe.com' /some/package.rpm
$ sudo update-crypto-policies --set LEGACY
$ sudo rpm --import joe.pub
$ sudo update-crypto-policies --set DEFAULT
$ rpmkeys -Kv /some/package.rpm
      Show
      When opening the rpmdb (e.g. during a query operation or via rpmkeys -K), a warning line is printed on stderr that contains the gpg-pubkey NEVRA of the affected public key that uses an unsupported (disabled) digest algorithm, for example: warning: Signature not supported. Hash algorithm SHA1 not available. warning: Could not load key gpg-pubkey-69615150-692465eb This can be tested easily with something like: $ gpg --gen-key --cert-digest-algo SHA1 $ gpg --export --armor joe@doe.com > joe.pub $ rpmsign --addsign --define '_gpg_name joe@doe.com' /some/ package .rpm $ sudo update-crypto-policies --set LEGACY $ sudo rpm -- import joe.pub $ sudo update-crypto-policies --set DEFAULT $ rpmkeys -Kv /some/ package .rpm
    • Pass
    • Not Needed
    • New Test Coverage
    • Release Note Not Required
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      A customer upgraded from RHEL7 to RHEL8, then RHEL8 to RHEL9.
      After upgrading to RHEL9, he gets warnings when using dnf or rpm commands:

      # rpm -qa
warning: Signature not supported. Hash algorithm SHA1 not available.
warning: Signature not supported. Hash algorithm SHA1 not available.
warning: Signature not supported. Hash algorithm SHA1 not available.
warning: Signature not supported. Hash algorithm SHA1 not available.
[...]

      Because of the lack of package name that has an issue, it's complicated to troubleshoot.
      I had to request the RPMDB to dig into this through running in GDB with breakpoints.

      In the end it appears there were some oldish "fake" gpg-pubkey packages that were culprit.

      What is the impact of this issue to you?

      Complicated to troubleshoot.

      Please provide the package NVR for which the bug is seen:

      rpm-libs-4.16.1.3-37.el9.x86_64

      How reproducible is this bug?:

      Always with customer RPMDB

              mdomonko@redhat.com Michal Domonkos
              rhn-support-rmetrich Renaud Métrich
              packaging-team-maint packaging-team-maint
              Martin Banas Martin Banas
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: