I have tried installing centos10 container from Fedora instead, but I used there installed centos-stream-repos package. centos-stream-repos-9.0-26.el9.noarch does not seem to reference SHA256 signed key.

What were you trying to do that didn't work?

I have tried to install centos10 using centos9 repos. That works fine at first glance, but once I switch into the created instance, every package operation complains Certificate 05B555B38483C65D invalid: policy violation. Multiple times, which is even more annoying.

It does not offer any hint how to resolve that issue.

What is the impact of this issue to you?

Hard to install newer container from previous stable centos.

Please provide the package NVR for which the bug is seen:

centos-stream-repos-9.0-26.el9.noarch
centos-stream-repos-10.0-3.el10.noarch

How reproducible is this bug?:

reliable

Steps to reproduce

1. install centos-stream-repos from c9s (tried from Fedora 40)
2. edit /etc/dnf/vars/stream to 10-stream
3. sudo -E dnf --repo=appstream --repo=baseos --releasever=10 --installroot=/var/lib/machines/tmp10 group install "Core"
4. sudo systemd-nspawn --network-bridge=virbr0 --resolv-conf=off -M tmp10 /bin/bash
5. rpm -q rpm

Expected results

just rpm-4.19.1.1-9.el10.x86_64

Actual results

# rpm -q rpm
error: Verifying a signature using certificate 99DB70FAE1D7CE227FB6488205B555B38483C65D (CentOS (CentOS Official Signing Key) <security@centos.org>):
  1. Certificate 05B555B38483C65D invalid: policy violation
      because: No binding signature at time 2024-12-11T14:57:32Z
      because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
      because: SHA1 is not considered secure
  2. Certificate 05B555B38483C65D invalid: policy violation
      because: No binding signature at time 2024-12-21T21:27:17Z
      because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
      because: SHA1 is not considered secure
error: Verifying a signature using certificate 99DB70FAE1D7CE227FB6488205B555B38483C65D (CentOS (CentOS Official Signing Key) <security@centos.org>):
  1. Certificate 05B555B38483C65D invalid: policy violation
      because: No binding signature at time 2024-12-11T14:57:32Z
      because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
      because: SHA1 is not considered secure
  2. Certificate 05B555B38483C65D invalid: policy violation
      because: No binding signature at time 2024-12-21T21:27:17Z
      because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
      because: SHA1 is not considered secure
rpm-4.19.1.1-9.el10.x86_64

dnf install fails to install anything new in this situation, all because inability to verify PGP signatures. I think that is caused by not including SHA256 key in centos9 update. It can verify SHA256 also in RHEL9 and it should use it for packages too, right?

Is there any good reason, why c9s contains only SHA1 key and c10s contains only SHA256 key, but there is no release which would contain both?