Safest way to install Codelite for Rocky 10.0

I need to install Codelite and used the RPM stream documentation:

https://docs.codelite.org/downloads/download/#codelite-rpms

so went to import public key first.

sudo rpm --import ``https://repos.codelite.org/CodeLite.asc``

error: Certificate 6856E1DB1AC82609:
Policy rejects 6856E1DB1AC82609: No binding signature at time 2025-10-02T16:39:35Z
error: ``https://repos.codelite.org/CodeLite.asc:`` key 1 import failed.

I don’t think SHA1 is acceptable to Rocky anymore:

gpg --verify CodeLite.asc 2>/dev/null || gpg --list-packets CodeLite.asc

which shows digest algo 2 (= SHA1)

Is it acceptable to allow this legacy key to be imported like this? What do you think of having to lower the crypto policy like this to get a common software installed?

sudo update-crypto-policies --set LEGACY

sudo rpm --import CodeLite.asc

sudo update-crypto-policies --set DEFAULT

Codelite have a forum, it might be worth asking on there; they say Fedora 41, maybe RHEL has tighter policy?

SHA1 doesn’t exist in Rocky 10. It was deprecated in RHEL9 so Rocky 9. That was possible to use:

update-crypto-policies --set DEFAULT:SHA1

but that doesn’t exist in RHEL10/Rocky 10. There is no SHA1 policy in EL10, so I don’t think legacy is even going to work. But you can try it. However as soon as you switch back to DEFAULT it will complain about the legacy key being on the system.

Get Codelite to update their signatures which they should be doing anyway if they support EL10. That is the correct way to resolve it.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.