On 6/1/22 13:43, Fabian Arrotin wrote:> On 01/06/2022 19:51, Orion Poplawski wrote: >> Looks like the GPG key we use to sign our RPMs is not longer good with EL9: >> >> # rpm --import RPM-GPG-KEY-nwra >> error: RPM-GPG-KEY-nwra: key 1 import failed >> >> gpg key info: >> >> sec? rsa2048/35DDB0B86218AC2F >> ????? created: 2017-08-16? expires: never?????? usage: SC >> ????? trust: ultimate????? validity: ultimate >> ssb? rsa2048/6A7FBC1E9DB22E8E >> ????? created: 2017-08-16? expires: never?????? usage: E >> >> Can someone explain what I need to do to make things compatible with EL9? >> >> Thank you! >> > > Just ensure that it's not using SHA1, which was deprecated, reason why the > CentOS keys had to be re-signed with newer algo too > > See this thread : > https://lists.centos.org/pipermail/centos-devel/2022-March/120263.htmlThanks - but I don't know how to check if it is using SHA1 or how to regenerate it with SHA512. -- Orion Poplawski IT Systems Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion at nwra.com Boulder, CO 80301 https://www.nwra.com/
On 02/06/2022 00:22, Orion Poplawski wrote:> On 6/1/22 13:43, Fabian Arrotin wrote: >> On 01/06/2022 19:51, Orion Poplawski wrote: >>> Looks like the GPG key we use to sign our RPMs is not longer good with EL9: >>> >>> # rpm --import RPM-GPG-KEY-nwra >>> error: RPM-GPG-KEY-nwra: key 1 import failed >>> >>> gpg key info: >>> >>> sec? rsa2048/35DDB0B86218AC2F >>> ????? created: 2017-08-16? expires: never?????? usage: SC >>> ????? trust: ultimate????? validity: ultimate >>> ssb? rsa2048/6A7FBC1E9DB22E8E >>> ????? created: 2017-08-16? expires: never?????? usage: E >>> >>> Can someone explain what I need to do to make things compatible with EL9? >>> >>> Thank you! >>> >> >> Just ensure that it's not using SHA1, which was deprecated, reason why the >> CentOS keys had to be re-signed with newer algo too >> >> See this thread : >> https://lists.centos.org/pipermail/centos-devel/2022-March/120263.html > > Thanks - but I don't know how to check if it is using SHA1 or how to > regenerate it with SHA512. >You can always check the digest algo on existing public keys with --list-packets Example for the older Cloud SIG pub key (but same for other keys) : curl --silent https://git.centos.org/centos/centos.org/raw/26a8f19095de699769b00109a1d69b37474ec388/f/keys/RPM-GPG-KEY-CentOS-SIG-Cloud|gpg --list-packets|grep "digest algo" digest algo 2, begin of digest 01 35 digest algo 2 is the problem , as it's SHA1, which is now deprecated So you don't need to create new key, but just re-sign with better algo Just ensure that you have 'cert-digest-algo SHA512' in ~/.gnupg/gpg.conf and re-signing existing gpg key[s] would work The easiest way to have these re-signed is to 'gpg --edit-key <key_id>` , then edit both primary and sub, setting different expiration date (even if already set to never), save and then export with 'gpg --export --armor' again You can see the difference on the public key: curl --silent https://git.centos.org/centos/centos.org/raw/main/f/keys/RPM-GPG-KEY-CentOS-SIG-Cloud|gpg --list-packets|grep "digest algo" digest algo 10, begin of digest 73 02 Which shows a better signature algo and it can be imported now on RHEL9/Stream9 and others -- Fabian Arrotin The CentOS Project | https://www.centos.org gpg key: 17F3B7A1 | twitter: @arrfab -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20220602/f5ae31d5/attachment-0003.sig>
On 6/1/22 23:40, Fabian Arrotin wrote:> On 02/06/2022 00:22, Orion Poplawski wrote: >> On 6/1/22 13:43, Fabian Arrotin wrote: >>> On 01/06/2022 19:51, Orion Poplawski wrote: >>>> Looks like the GPG key we use to sign our RPMs is not longer good with EL9: >>>> >>>> # rpm --import RPM-GPG-KEY-nwra >>>> error: RPM-GPG-KEY-nwra: key 1 import failed >>>> >>>> gpg key info: >>>> >>>> sec? rsa2048/35DDB0B86218AC2F >>>> ?????? created: 2017-08-16? expires: never?????? usage: SC >>>> ?????? trust: ultimate????? validity: ultimate >>>> ssb? rsa2048/6A7FBC1E9DB22E8E >>>> ?????? created: 2017-08-16? expires: never?????? usage: E >>>> >>>> Can someone explain what I need to do to make things compatible with EL9? >>>> >>>> Thank you! >>>> >>> >>> Just ensure that it's not using SHA1, which was deprecated, reason why the >>> CentOS keys had to be re-signed with newer algo too >>> >>> See this thread : >>> https://lists.centos.org/pipermail/centos-devel/2022-March/120263.html >> >> Thanks - but I don't know how to check if it is using SHA1 or how to >> regenerate it with SHA512. >> > > You can always check the digest algo on existing public keys with --list-packets > > Example for the older Cloud SIG pub key (but same for other keys) : > > curl --silent > https://git.centos.org/centos/centos.org/raw/26a8f19095de699769b00109a1d69b37474ec388/f/keys/RPM-GPG-KEY-CentOS-SIG-Cloud|gpg > --list-packets|grep "digest algo" > ????digest algo 2, begin of digest 01 35 > > digest algo 2 is the problem , as it's SHA1, which is now deprecated > > So you don't need to create new key, but just re-sign with better algo > Just ensure that you have 'cert-digest-algo SHA512' in ~/.gnupg/gpg.conf and > re-signing existing gpg key[s] would work > The easiest way to have these re-signed is to 'gpg --edit-key <key_id>` , then > edit both primary and sub, setting different expiration date (even if already > set to never), save and then export with 'gpg --export --armor' again > > You can see the difference on the public key: > curl --silent > https://git.centos.org/centos/centos.org/raw/main/f/keys/RPM-GPG-KEY-CentOS-SIG-Cloud|gpg > --list-packets|grep "digest algo" > ????digest algo 10, begin of digest 73 02 > > Which shows a better signature algo and it can be imported now on > RHEL9/Stream9 and othersThank you! Exactly what I needed. -- Orion Poplawski IT Systems Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion at nwra.com Boulder, CO 80301 https://www.nwra.com/