Hi,
I’m currently properly rebuilding my own RPM package repo for the stuff that’s not available in any of the third-party repos. Currently I have three packages for Rocky Linux 8 here:
https://www.microlinux.fr/pub/rockylinux/
I just ran into a strange problem when setting up the repo for Rocky Linux 9. On the client machines, I use the following stance for importing the repository’s GPG key:
- name: Import Microlinux GPG key
ansible.builtin.rpm_key:
key: https://www.microlinux.fr/pub/rockylinux/RPM-GPG-KEY
state: present
On Rocky Linux 8, this works perfectly.
On Rocky Linux 9, Ansible spews back the following error:
TASK [repo_microlinux : Import Microlinux GPG key] ***********************************************************
fatal: [rocky-el9.microlinux.lan]: FAILED! => {"changed": false, "msg": "warning: Signature not supported. Has
h algorithm SHA1 not available.\nerror: /tmp/tmpaupj3klo: key 1 import failed.\n"}
On a side note: my main workstation is running Rocky Linux 8, and I’m building packages for both Rocky Linux 8 and 9 using Mock.
Any suggestions ?
Recommended: Generate new keys that are not sha1.
Alternative (not recommended): Update your crypto policies to allow sha1.
1 Like
The latter would be with:
update-crypto-policies --set DEFAULT:SHA1
as described in Chapter 3. Using system-wide cryptographic policies | Red Hat Product Documentation
But, since you make the keys, you can and should make the “better” keys.
1 Like
I’m not sure how I would go about that.
I have a local GPG key on my workstation that I’ve had for a few years:
$ gpg --list-secret-keys
/home/kikinovak/.gnupg/pubring.kbx
----------------------------------
sec rsa4096 2018-04-09 [SCA]
9C4708738E37651B867DA97451F1EF3EC56945AE
uid [ ultime ] Nicolas Kovacs <info@microlinux.fr>
uid [ ultime ] [jpeg image of size 15912]
ssb rsa4096 2018-04-09 [E]
I exported this key like this:
gpg --export --armour info@microlinux.fr > RPM-GPG-KEY
And then I uploaded it to my repo.
I googled around a bit and found workarounds which consisted in editing ~/.rpmmacros. But as far as I understand, this has nothing to do with my key.
I admit I’m confused. What exactly is the bad part here, and how would I “make a better key”?
My bad. I did not check what “new keys” by @nazunalika means here.
The issue seems to be that the hash created by GPG when signing a package is SHA-1.Enhancing RHEL Security: Understanding SHA-1 deprecation on RHEL 9
The “editing ~/.rpmmacros” is thus the “key” here – to force GPG sign with something other than SHA-1.
1 Like
What I still don’t get: in my case, Ansible fails at an earlier stage when importing my public GPG key. And this key is in no way concerned by ~/.rpmmacros.
I’m still confused.
Is the public GPG also a hash from the secret key?
Ritov
July 15, 2024, 9:20pm
8
What is the output for your key of:
gpg --export-options export-minimal --export '<fingerprint>' | gpg --list-packets | grep -A 2 signature | grep 'digest algo'
If its digest algo 2 then you should recreate your key-pair again with a proper gnupg configuration
1 Like
As far as I can tell, this was an old GPG key I had created under CentOS 7.
I just generated a new GPG key under Rocky Linux 8 and signed my packages with it, and everything’s fine now. Rocky Linux 9 can import the key without a hiccup.
system
September 14, 2024, 5:02am
10
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.