RHEL 9 repo packages are signed with SHA-1 which is disabled in RHEL 9
hakong opened this issue · comments
Describe the bug
SHA-1 has been disabled by default in RHEL 9 due to insecurity, see: https://www.redhat.com/en/blog/rhel-security-sha-1-package-signatures-distrusted-rhel-9
Thruk Version
n/a
To Reproduce
Steps to reproduce the behavior:
- Enable ConSol RHEL 9 stable repo on an RHEL 9 system
- Attempt to install thruk
Expected behavior
Packages should install.
Actual behavior
Packages are not installed.
warning: Signature not supported. Hash algorithm SHA1 not available.
Error: GPG check FAILED
Screenshots
Desktop (please complete the following information):
n/a
Additional context
Add any other context about the problem here.
does this look similar in your setup:
%> rpm -Kv libthruk-3.00-0.rhel9.x86_64.rpm
libthruk-3.00-0.rhel9.x86_64.rpm:
Header V4 RSA/SHA512 Signature, key ID a57b9ed7: OK
Header SHA256 digest: OK
Header SHA1 digest: OK
Payload SHA256 digest: OK
MD5 digest: OK
%> sha256sum libthruk-3.00-0.rhel9.x86_64.rpm
bb3686848010ee2a86a9d858db053a658290fe86fe6996e50dddab5944a7cd07 libthruk-3.00-0.rhel9.x86_64.rpm
Looks like there is a sha512 signature.
i don't have any rhel9 available, it works fine on rocky 9 and alma 9. Is this a redhat thing?
Interesting. Just tested on a standalone system using the repo directly and that worked fine. In the original example the repository is mirrored using Foreman/Satellite and a client of that is trying to install thruk, and failing.
I switched over to the OpenSuse Build Service repo and that worked fine using Foreman/Satellite.
Using the repo directly:
ConSol labs repo: works
OpenSuse Build Service: works
Using the repo from a Foreman mirror:
ConSol labs repo: fails
OpenSuse Build Service works
I'll test this more at work next week.