<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Il giorno gio 3 mar 2022 alle ore 09:15 Fabian Arrotin <<a href="mailto:arrfab@centos.org">arrfab@centos.org</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 03/03/2022 04:11, Brian Stinson wrote:<br>
> Hi Folks,<br>
> <br>
> OpenSSL in CentOS Stream and RHEL 9 intends to remove the sha1<br>
> algorithm, and recently a build landed that makes this change.<br>
> <br>
> When that build first went to testing we noticed that the CentOS SIG<br>
> rpm signing keys (including the one enabled by default for Extras)<br>
> contained a sha1 signature on one of the subkeys, which caused trouble<br>
> validating rpms.<br>
> <br>
> We have begun to mitigate this by re-signing the offending subkey in<br>
> the Extras signing key and are currently pushing a compose to the<br>
> mirrors. If you've previously imported the Extras key (like if you've<br>
> installed a SIG centos-release package on your system), you may notice<br>
> messages during an rpm transaction like:<br>
> <br>
> `Key import failed (code 2)`<br>
> <br>
> followed by<br>
> <br>
> `Error: GPG check FAILED`<br>
> <br>
> To continue you will need to update to centos-gpg-keys-9.0-12.el9<br>
> (plus the corresponding centos-stream-release package) and perform a<br>
> manual step:<br>
> <br>
> `rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Extras-SHA512`<br>
> <br>
> Since all of the SIG keys are affected as well, we are working on<br>
> re-signing subkeys for those SIGs that are currently shipping content<br>
> for CentOS Stream 9. We will post links to the updated pubkeys and SIG<br>
> leaders will need to rebuild their centos-release packages to include<br>
> these new keys. We expect references to those new keys to be published<br>
> in the next couple of days.<br>
> <br>
> If there are any questions please find us in #centos-devel or<br>
> #centos-stream in libera, or reply here.<br>
> <br>
> Cheers!<br>
> --Brian<br>
> <br>
> References:<br>
> <a href="https://bugzilla.redhat.com/show_bug.cgi?id=2059424" rel="noreferrer" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=2059424</a><br>
> <br>
<br>
As a follow-up in this thread, all SIGs gpg public keys are now <br>
re-signed and available on <a href="https://www.centos.org/keys/" rel="noreferrer" target="_blank">https://www.centos.org/keys/</a><br>
<br>
FWIW, this is the commit with the diff : <br>
<a href="https://git.centos.org/centos/centos.org/c/ea540d5b2eeebedaff28b0ef504b58304e5444a7?branch=main" rel="noreferrer" target="_blank">https://git.centos.org/centos/centos.org/c/ea540d5b2eeebedaff28b0ef504b58304e5444a7?branch=main</a><br>
<br>
Worth knowing that nothing WRT private keys was changed, so only public <br>
keys now (including sub keys) signed with SHA512 (and default for the <br>
future)<br>
Also worth knowing that RPM packages signed in the past were already <br>
signed with SHA256, so we don't have to worry about SHA1 for rpm <br>
packages (already done in the past)<br>
<br>
As Brian said above, that means that SIGs can now start rebuilding their <br>
-release pkgs for Stream 9 with the re-signed gpg pub key , and inform <br>
their users about the change and manual intervention<br></blockquote><div><br></div><div>Thanks, starting to update Virt SIG</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
-- <br>
Fabian Arrotin<br>
The CentOS Project | <a href="https://www.centos.org" rel="noreferrer" target="_blank">https://www.centos.org</a><br>
gpg key: 17F3B7A1 | twitter: @arrfab<br>
_______________________________________________<br>
CentOS-devel mailing list<br>
<a href="mailto:CentOS-devel@centos.org" target="_blank">CentOS-devel@centos.org</a><br>
<a href="https://lists.centos.org/mailman/listinfo/centos-devel" rel="noreferrer" target="_blank">https://lists.centos.org/mailman/listinfo/centos-devel</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><p style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;font-weight:bold;margin:0px;padding:0px;font-size:14px"><span>Sandro</span> <span>Bonazzola</span><span style="text-transform:uppercase;color:rgb(170,170,170);margin:0px"></span></p><p style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;font-size:12px;margin:0px"><span>MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV</span></p><p style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;margin:0px 0px 4px;font-size:12px"><a href="https://www.redhat.com/" style="color:rgb(0,136,206);margin:0px" target="_blank">Red Hat <span>EMEA</span></a></p><div style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;font-size:medium;margin-bottom:4px"></div><p style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;margin:0px;font-size:12px"><span style="margin:0px;padding:0px"><a href="mailto:sbonazzo@redhat.com" style="color:rgb(0,0,0);margin:0px" target="_blank">sbonazzo@redhat.com</a> </span></p><div style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;font-size:medium;margin-top:12px"><div style="margin-top:12px"><table border="0"><tbody><tr><td width="100px"><a href="https://www.redhat.com/" target="_blank"><img src="https://static.redhat.com/libs/redhat/brand-assets/2/corp/logo--200.png" width="96" height="23"></a></td><td style="font-size:12px"><div></div></td></tr></tbody></table></div></div><table border="0"><tbody><tr></tr></tbody></table><div style="margin-top:12px"><font color="#000000" face="arial, sans-serif" size="1"><b></b></font></div><div style="margin-top:12px"><font color="#000000" face="arial, sans-serif" size="1"><b>Red Hat respects your work life balance. Therefore there is no need to answer this email out of your office hours.<br></b></font></div><div style="margin-top:12px"><font color="#000000" face="arial, sans-serif" size="1"><b><br><br></b></font></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>