CentOS - Jun 2022 - Update RPM GPG key for EL9

Looks like the GPG key we use to sign our RPMs is not longer good with EL9:

# rpm --import RPM-GPG-KEY-nwra
error: RPM-GPG-KEY-nwra: key 1 import failed

gpg key info:

sec  rsa2048/35DDB0B86218AC2F
     created: 2017-08-16  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa2048/6A7FBC1E9DB22E8E
     created: 2017-08-16  expires: never       usage: E

Can someone explain what I need to do to make things compatible with EL9?

Thank you!

-- 
Orion Poplawski
IT Systems Manager                         720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

On 01/06/2022 19:51, Orion Poplawski wrote:
> Looks like the GPG key we use to sign our RPMs is not longer good with EL9:
> 
> # rpm --import RPM-GPG-KEY-nwra
> error: RPM-GPG-KEY-nwra: key 1 import failed
> 
> gpg key info:
> 
> sec  rsa2048/35DDB0B86218AC2F
>       created: 2017-08-16  expires: never       usage: SC
>       trust: ultimate      validity: ultimate
> ssb  rsa2048/6A7FBC1E9DB22E8E
>       created: 2017-08-16  expires: never       usage: E
> 
> Can someone explain what I need to do to make things compatible with EL9?
> 
> Thank you!
> 
Just ensure that it's not using SHA1, which was deprecated, reason why 
the CentOS keys had to be re-signed with newer algo too

See this thread : 
https://lists.centos.org/pipermail/centos-devel/2022-March/120263.html

-- 
Fabian Arrotin
The CentOS Project | https://www.centos.org
gpg key: 17F3B7A1 | twitter: @arrfab
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20220601/db732bce/attachment-0003.sig>

On 6/1/22 13:43, Fabian Arrotin wrote:
> On 01/06/2022 19:51, Orion Poplawski wrote:
>> Looks like the GPG key we use to sign our RPMs is not longer good with
EL9:
>>
>> # rpm --import RPM-GPG-KEY-nwra
>> error: RPM-GPG-KEY-nwra: key 1 import failed
>>
>> gpg key info:
>>
>> sec? rsa2048/35DDB0B86218AC2F
>> ????? created: 2017-08-16? expires: never?????? usage: SC
>> ????? trust: ultimate????? validity: ultimate
>> ssb? rsa2048/6A7FBC1E9DB22E8E
>> ????? created: 2017-08-16? expires: never?????? usage: E
>>
>> Can someone explain what I need to do to make things compatible with
EL9?
>>
>> Thank you!
>>
> 
> Just ensure that it's not using SHA1, which was deprecated, reason why
the
> CentOS keys had to be re-signed with newer algo too
> 
> See this thread :
> https://lists.centos.org/pipermail/centos-devel/2022-March/120263.html
Thanks - but I don't know how to check if it is using SHA1 or how to
regenerate it with SHA512.


-- 
Orion Poplawski
IT Systems Manager                         720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/