Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-9.8
Affects Version/s: rhel-8.10, rhel-9.7
Component/s: leapp-repository
Labels:
- dev-effort:medium
- leapp-core

Regression:
None
Severity:
None

AssignedTeam:
rhel-upgrades

Internal Target Milestone:
20
Story Points:
0
Target Version:

rhel-9.8, rhel-10.2
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Similarly to how obsolete distribution RPM GPG keys (those are e.g. using old digest algorithms such as SHA1) are removed during the upgrade, RHUI-related keys should also be removed.

For example, on GCP RHEL 10, there is a new RPM GPG key introduced using the digest algo 10 (SHA256), which is successfully imported during the upgrade, but the old key using digest algo 2 (SHA1) which is used on RHEL9 is never removed from RPM DB.

There are errors logged during the upgrade, after every dnf transaction, which seem to only be printed during an upgrade, but the key should be removed either way. Even though the logs are errors, it seems it behaves more like a warning and the upgrade succeeds.

The warnings (in total there is ~200 of them, all identical):

error: Verifying a signature using certificate 3749E1BA95A86CE054546ED2F09C394C3E1BA8D5 (Google Cloud Packages RPM Signing Key <gc-team@google.com>):
  1. Certificate F09C394C3E1BA8D5 invalid: policy violation
      because: No binding signature at time 2024-04-10T22:42:22Z
      because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
      because: SHA1 is not considered secure
  2. Certificate F09C394C3E1BA8D5 invalid: policy violation
      because: No binding signature at time 2025-10-14T12:16:32Z
      because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
      because: SHA1 is not considered secure

RHEL9 key:

[root@mmatuska-rhel9-aarch64 ~]# gpg2 --show-key -vvv /etc/pki/rpm-gpg/google-rpm-package-key.gpg
gpg: using character set 'utf-8'
gpg: Note: RFC4880bis features are enabled.
gpg: armor: BEGIN PGP PUBLIC KEY BLOCK
gpg: armor header: Version: GnuPG v1
# off=0 ctb=99 tag=6 hlen=3 plen=269
:public key packet:
        version 4, algo 1, created 1435154088, expires 0
        pkey[0]: [2048 bits]
        pkey[1]: [17 bits]
        keyid: F09C394C3E1BA8D5
# off=272 ctb=b4 tag=13 hlen=2 plen=58
:user ID packet: "Google Cloud Packages RPM Signing Key <gc-team@google.com>"
# off=332 ctb=89 tag=2 hlen=3 plen=312
:signature packet: algo 1, keyid F09C394C3E1BA8D5
        version 4, created 1435154088, md5len 0, sigclass 0x13
        digest algo 2, begin of digest f9 0c
        hashed subpkt 2 len 4 (sig created 2015-06-24)
        hashed subpkt 27 len 1 (key flags: 2F)
        hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
        hashed subpkt 21 len 5 (pref-hash-algos: 8 2 9 10 11)
        hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
        hashed subpkt 30 len 1 (features: 01)
        hashed subpkt 23 len 1 (keyserver preferences: 80)
        subpkt 16 len 8 (issuer key ID F09C394C3E1BA8D5)
        data: [2047 bits]
pub   rsa2048 2015-06-24 [SCEA]
      3749E1BA95A86CE054546ED2F09C394C3E1BA8D5
uid                      Google Cloud Packages RPM Signing Key <gc-team@google.com>

RHEL 10 key:

gpg2 --show-key -vvv projects/amazon/leapp-rhui-google/src/9to10/rpm-package-key-v10.gpg                           0
gpg: using character set 'utf-8'
gpg: enabled compatibility flags:
gpg: armor: BEGIN PGP PUBLIC KEY BLOCK
# off=0 ctb=99 tag=6 hlen=3 plen=525
:public key packet:
        version 4, algo 1, created 1743266887, expires 0
        pkey[0]: [4096 bits]
        pkey[1]: [17 bits]
        keyid: 3156C631B64936F9
# off=528 ctb=b4 tag=13 hlen=2 plen=64
:user ID packet: "Google Cloud v10 RPM Package Signing Key v1 <gc-team@google.com>"
# off=594 ctb=89 tag=2 hlen=3 plen=596
:signature packet: algo 1, keyid 3156C631B64936F9
        version 4, created 1743266887, md5len 0, sigclass 0x13
        digest algo 10, begin of digest cf e4
        hashed subpkt 33 len 21 (issuer fpr v4 C5F744A098136F40C370E8493156C631B64936F9)
        hashed subpkt 2 len 4 (sig created 2025-03-29)
        hashed subpkt 27 len 1 (key flags: 03)
        hashed subpkt 9 len 4 (key expires after 13y67d0h0m)
        hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
        hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2)
        hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
        hashed subpkt 30 len 1 (features: 01)
        hashed subpkt 23 len 1 (keyserver preferences: 80)
        subpkt 16 len 8 (issuer key ID 3156C631B64936F9)
        data: [4095 bits]
# off=1193 ctb=b9 tag=14 hlen=3 plen=525
:public sub key packet:
        version 4, algo 1, created 1743266887, expires 0
        pkey[0]: [4096 bits]
        pkey[1]: [17 bits]
        keyid: A309ED3CF54DF43C
# off=1721 ctb=89 tag=2 hlen=3 plen=572
:signature packet: algo 1, keyid 3156C631B64936F9
        version 4, created 1743266887, md5len 0, sigclass 0x18
        digest algo 10, begin of digest 1c 92
        hashed subpkt 33 len 21 (issuer fpr v4 C5F744A098136F40C370E8493156C631B64936F9)
        hashed subpkt 2 len 4 (sig created 2025-03-29)
        hashed subpkt 27 len 1 (key flags: 0C)
        hashed subpkt 9 len 4 (key expires after 13y67d0h0m)
        subpkt 16 len 8 (issuer key ID 3156C631B64936F9)
        data: [4095 bits]
pub   rsa4096 2025-03-29 [SC] [expires: 2038-06-01]
      C5F744A098136F40C370E8493156C631B64936F9
uid                      Google Cloud v10 RPM Package Signing Key v1 <gc-team@google.com>
sub   rsa4096 2025-03-29 [E] [expires: 2038-06-01]

The existing mapping used by removeobsoleterpmgpg actor could be extended to allow specifying keys for RHUI and per the provider.

Assignee:: Unassigned

Reporter:: Matej Matuska

Developer:: leapp-notifications

QA Contact:: RHEL Upgrades QE Team

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2025/10/14 1:43 PM

Updated:: 2025/10/16 2:04 PM

Stale Date:: 2026/10/13

Target end:: 2026/01/12

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates