-
Bug
-
Resolution: Done-Errata
-
Critical
-
None
-
rhel-8.9.0.z, rhel-8.10, rhel-9.3.0.z, rhel-9.4
-
containers-common-1-58.el9
-
None
-
Critical
-
rhel-sst-container-tools
-
3
-
False
-
-
None
-
None
-
None
-
None
-
If docs needed, set a value
-
-
Unspecified
-
None
+++ This bug was initially created as a clone of Bug #2184640 +++
Description of problem:
> the same issue seems to happen when checking the container image
> signature from a centos-9 host, we reported here:
> https://bugs.launchpad.net/tripleo/+bug/2015309
Follow up on that, when verifying container signatures, keys are configured per registry in /etc/containers/policy.json
for registry.access.redhat.com/ubi9:latest in the failing CI job, the key is /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release provided by containers-common on CS9
which was not updated yet:
- curl https://gitlab.com/redhat/centos-stream/rpms/containers-common/-/raw/c9s/RPM-GPG-KEY-redhat-release | gpg2 --list-packets
- off=0 ctb=99 tag=6 hlen=3 plen=525
:public key packet:
version 4, algo 1, created 1256212795, expires 0
pkey[0]: [4096 bits]
pkey[1]: [17 bits]
keyid: 199E2F91FD431D51 - off=528 ctb=b4 tag=13 hlen=2 plen=51
:user ID packet: "Red Hat, Inc. (release key 2) <security@redhat.com>" - off=581 ctb=89 tag=2 hlen=3 plen=566
:signature packet: algo 1, keyid 199E2F91FD431D51
version 4, created 1256212795, md5len 0, sigclass 0x13
digest algo 2, begin of digest 6c e9
hashed subpkt 2 len 4 (sig created 2009-10-22)
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
hashed subpkt 21 len 3 (pref-hash-algos: 2 8 3)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (keyserver preferences: 80)
subpkt 16 len 8 (issuer key ID 199E2F91FD431D51)
data: [4095 bits]
digest algo 2 = SHA-1 https://www.rfc-editor.org/rfc/rfc4880#section-9.4
SHA-1 was removed in gnup2-2.3.3-3.el9 for bug 2070722
Please update RPM-GPG-KEY-redhat-* keys provided by containers-common package in CS9.
- external trackers
