Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-71398

OSbuild on RHEL 9 is not able to install a RHEL 8 distro with pkgs signed with SHA1

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • rhel-9.5
    • osbuild-composer
    • None
    • No
    • Moderate
    • rhel-sst-image-builder
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • All
    • None

      What were you trying to do that didn't work?

      Even on RHEL 9, Image Builder gives the ability to compose RHEL 8 images. Our customer is not able to install SHA1 packages, a possibility that has been blocked on RHEL 9 only.

      Setting the crypto-policies to "DEFAULT:SHA1" as mentioned in our documentations does not help to move forward. Trying to workaround the issue by modifying the corresponding osbuild stages in order to set the crypto-policies within the container used to build the image does not work either.

      What is the impact of this issue to you?

      Cannot compose a RHEL 8 image from a RHEL 9 host.

      Please provide the package NVR for which the bug is seen:

      osbuild-composer-118-2.el9_5.x86_64

      osbuild-126-1.el9.noarch

      How reproducible is this bug?:

      Always

      Steps to reproduce

      • Generate a GPG key using the SHA1 digest algo, import it with RPM, and use it to build a test package (attaching empty-20241216-1.0.noarch.rpm for your convenience).
      • Add a custom repo with this GPG key (adapt the URL for your needs)
      id = "yum-repo"
name = "yum-repo"
type = "yum-baseurl"
url = "http://192.168.122.119/yum-repo"
check_gpg = true
check_ssl = true
gpgkeys=["""-----BEGIN PGP PUBLIC KEY BLOCK-----mQGNBGdgAE8BDACYOKJnFPw8RHXBUpnbvh10PBrjgnSsAh7lgzAJ8+LNb+5VKfha
D4rtV8NqOhDJC9XtPXcGMrIaB+45SiuZdvlx6NwU2Pi5BGgg/sUzoeUKRqdHYno/
pA7yBL1brWpNp8dXoamRTNWpKtlubdPo9zC7y8Fjs/ARfv4dsm6XhNGfho1zJJmI
zjbDrHo8LtHjQunzxtbK/nqu8thtkL8V1V+N+hN45taUo3mCyHQEQMOVzaiGTpjq
Cc72Y1oGv+Zik3iGFOz1gn8PsAA9dxgML266Fn9zso8bvEEvBafS6TosCCd2C04x
A6EXeJwUa9Ik/mswfvuHrVDdBpl9pqkjq+IxKApMDPRYe0jJyuXMvnEU0JsahiHz
GWPYmBN4sWWfNkdmkoCOUaJ5hMprf3yUMkd8WOKlvDUEgNBn52XwgSxMeaOJ7BVE
4el4qOpNVOFbbb4hFO2qfoFlr2Vptq7z/CS5Q/RdJAyeonwwmxkltC5jQivmHe9U
uqKeZZME9OD503MAEQEAAbQkcGFja2FnZSBtYW5hZ2VyIDxjYmVzc29uQHJlZGhh
dC5jb20+iQHYBBMBCABCFiEEFKfSPqi+/ta11pUNFIRAOj7QvkoFAmdgAE8CGwMF
CQPCZwAFCwkIBwIDIgIBBhUKCQgLAgQWAgMBAh4HAheAAAoJEBSEQDo+0L5KfuwL
/AgfuMLXckRFTgWJgXWDN078PI1uVwpeSRBk1JPQNsSZ0YG8PN+1O0BjGfb9qsh/
ip4Q0ze9TUYcFn7JkWzTn+nkrWEPdQVxw1jVc0Yz0W+feeiLbRfXvZ/ITt0OAED/
X2vgtOoH2whgyqQ51DRX5wdt4PPin+9uiIHxXVesABPSf+/57Uwyop+/EXHHthym
AmVjKh+FLk6OTmiMkEjnnJzR0alvIsuc4eicaN5TUSRGRoyejFr5ifQDOD8w6x2T
P4pZy5vKwVxZZTka3ZLqFs2pyJZlaqSbxVhfoo/cUlgpvvyxOD4jmBx3OtO7+iCY
WEuyJEAhW92cOJ3ciGFKN0Q9MoDOCc/yFkgKnU33zdXv43YULSxT0SVmWbdkNoDs
vMRNKVLfseyK3xbaPE19kcGDDhY1SpOpQJYQA/ARptlBaY9Zd0S8kCudhJHHoGAj
+BeCSmPEpSiRLBIHBFDtO96oc1ZwN0qlnxSFNxGlVSE6OL+Kub6XJ7xc2Rl2SaWl
T7kBjQRnYABPAQwAxviyoi+YFnqHCt4Sx6JtqnTSFClLgtSbahcaXT3VWaPRJHp1
RXMrzwvEW02fivvWIR8EAVDw25A0dvU8O5FAb6NnSUQ5y10x8jnYIcabrsFIg+Cr
lMT3AEg+HAmDflTLuGsLXDllYB5rHYLywLiAVRStvtDSXFssJd7TEvJUIU2GBS6M
qx01vyCWMhVBiriMsGMqsYDgiTbIKLzULSKXcmhaDZJwBlyTsVlvojr7Mnu3gffE
AcE0lT9LFsdALismSMYXUEMQiPlcYoJJpp5fug1ttkjdKz+OtFDFm1mKOzV4XhGV
bUKkf9GNFICZLF6ldbskcP1tDNlpGEegNXioWU3PkAY0U1zyjjRSgPmGkrWowPjD
afH1tqOcBf0C/4UUu/pI4ppjxHITBqrBnZE+5tYs5/OAOVTykorp016u3F0oO6PO
F+p/38BR1tagHte/zhuHtRmxl8mPCBI6KUkpMHXplKl96EPiADGHhNgYe1bSog/q
HouZPDF/gYR/GI2tABEBAAGJAbwEGAEIACYWIQQUp9I+qL7+1rXWlQ0UhEA6PtC+
SgUCZ2AATwIbDAUJA8JnAAAKCRAUhEA6PtC+Sg4FC/4xGQRFdD3jhgr15moMQZXN
ZzAtN4ULQVbpqex2olSZ1KProcAiQpBNLPQxTIcZfUgRNh6c6BA4r2q8jwi/labv
LeWj3vCL3qjqmxiuDBkMpOu18lrXJA9+YbDdIjWNw/9H5JHyqY+/aD8Vw6dX2Qm+
V9HmLTq5K1id0MR+1d4oCyPrFHGPv/tYn58rs170BCq5ZENW2+KNLf8q988Co7z9
0Ncjo4mi+T2cw3B/wQAIiIPagUfXel9MKD88M4PQhNM5oJBxMau5fhDv5JZBrp2I
jFJvcVqt8i5gszk1i91x2AGHmj59iqat/g2oNs9ZpxR3nJlh6MjjM5JVXQOjcHUA
RwOYB3GmSu4sEZ530ldBfP9N9PA6tLtk5HaEv5awj9IRQCgNKE2FGUZdbdHB+Z7V
ZE+YJQ6umBo+VPCe5+yGu3KaYiBVuO8aZM5Gts6zasm04SPIqRjy3rS31OTHSRRj
roq3+/EzkfGq0syPz02xik3sgoEc09PBc8V1pfv45E4=
=dVaH
-----END PGP PUBLIC KEY BLOCK-----"""]
      • Create a blueprint with this "empty" package and compose it.

      Expected results

      The image is generated.

      Actual results

      warning: Signature not supported. Hash algorithm SHA1 not available.
error: /tmp/gpgkey.b8axqp6l: key 2 import failed.
Traceback (most recent call last):
  File "/run/osbuild/bin/org.osbuild.rpm", line 253, in <module>
    r = main(args["tree"], args["inputs"], args["options"])
  File "/run/osbuild/bin/org.osbuild.rpm", line 152, in main
    subprocess.run([
  File "/usr/lib64/python3.9/subprocess.py", line 528, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['rpmkeys', '--root', '/run/osbuild/tree', '--import', '/tmp/gpgkey.b8axqp6l']' returned non-zero exit status 1.

              osbuilders Osbuilders Bot Account
              rhn-support-cbesson Christophe Besson
              Osbuilders Bot Account Osbuilders Bot Account
              Release Test Team Release Test Team
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: