[CentOS-devel] GPG check FAILED using CentOS Stream 9 Extras and other SIG Keys

Thu Mar 3 03:11:05 UTC 2022
Brian Stinson <bstinson at redhat.com>

Hi Folks,

OpenSSL in CentOS Stream and RHEL 9 intends to remove the sha1
algorithm, and recently a build landed that makes this change.

When that build first went to testing we noticed that the CentOS SIG
rpm signing keys (including the one enabled by default for Extras)
contained a sha1 signature on one of the subkeys, which caused trouble
validating rpms.

We have begun to mitigate this by re-signing the offending subkey in
the Extras signing key and are currently pushing a compose to the
mirrors. If you've previously imported the Extras key (like if you've
installed a SIG centos-release package on your system), you may notice
messages during an rpm transaction like:

`Key import failed (code 2)`

followed by

`Error: GPG check FAILED`

To continue you will need to update to centos-gpg-keys-9.0-12.el9
(plus the corresponding centos-stream-release package) and perform a
manual step:

`rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Extras-SHA512`

Since all of the SIG keys are affected as well, we are working on
re-signing subkeys for those SIGs that are currently shipping content
for CentOS Stream 9. We will post links to the updated pubkeys and SIG
leaders will need to rebuild their centos-release packages to include
these new keys. We expect references to those new keys to be published
in the next couple of days.

If there are any questions please find us in #centos-devel or
#centos-stream in libera, or reply here.