Dnf warning message after upgrade from Rocky 8 to Rocky 9

Yes I know you aren’t supposed to do that but everything appears to be working except I now get a warning message whenever I run dnf - I guess SHA1 is deprecated - eg:

dnf update
warning: Signature not supported. Hash algorithm SHA1 not available.
Last metadata expiration check: 0:00:11 ago on Thu 22 Dec 2022 01:32:25 AM NZDT.
Dependencies resolved.
Nothing to do.

Any idea how to fix this? I’m assuming something in dnf carried over from Rocky 8 that needs to be changed to SHA2 or ?

1 Like

If it were in cache, then dnf --enablerepo=* clean all should help. I bet it won’t.

Are there any el8 packages still in system? Did the side-grade from CentOS Linux 8 to Rocky Linux 8 call dnf distro-sync to clean such details?

Most repos sign their packages with GPG keys. The keys are “imported” on first use somewhere, as rpm lists “gpg-pubkey*”. (Dnf does not.) That would be (lingering) “data” and el8 keys might contain SHA1.
rpm -qa gpg-pubkey\*

I would see what rpm --erase for the old keys achieves.

Sounds like you still have a gpg key on the system causing issues, you can list them with:

rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'

then when you find the one that is most likely causing the problems, you can remove it:

dnf remove gpg-pubkey-xxxxx-xxxxx

where xxxxx will be a random number for that particular key. Most likely a third-party repo from Rocky 8. Someone else had similar recently with a Plex repo they had used, on removing the gpg key/signature it worked normally again. You may also have other EL8 keys that are no longer needed and can also be removed.

Thanks. I noticed that there were two gpg keys for the digitalocean droplet agent repo. I removed both of them and then re-added the droplet agent repo and that fixed the problem. The repo gpg key must have been using a SHA1 hash at the time I installed it under Rocky 8.

1 Like