[CentOS-devel] GPG check FAILED using CentOS Stream 9 Extras and other SIG Keys

Thu Mar 3 08:15:11 UTC 2022
Fabian Arrotin <arrfab at centos.org>

On 03/03/2022 04:11, Brian Stinson wrote:
> Hi Folks,
> OpenSSL in CentOS Stream and RHEL 9 intends to remove the sha1
> algorithm, and recently a build landed that makes this change.
> When that build first went to testing we noticed that the CentOS SIG
> rpm signing keys (including the one enabled by default for Extras)
> contained a sha1 signature on one of the subkeys, which caused trouble
> validating rpms.
> We have begun to mitigate this by re-signing the offending subkey in
> the Extras signing key and are currently pushing a compose to the
> mirrors. If you've previously imported the Extras key (like if you've
> installed a SIG centos-release package on your system), you may notice
> messages during an rpm transaction like:
> `Key import failed (code 2)`
> followed by
> `Error: GPG check FAILED`
> To continue you will need to update to centos-gpg-keys-9.0-12.el9
> (plus the corresponding centos-stream-release package) and perform a
> manual step:
> `rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Extras-SHA512`
> Since all of the SIG keys are affected as well, we are working on
> re-signing subkeys for those SIGs that are currently shipping content
> for CentOS Stream 9. We will post links to the updated pubkeys and SIG
> leaders will need to rebuild their centos-release packages to include
> these new keys. We expect references to those new keys to be published
> in the next couple of days.
> If there are any questions please find us in #centos-devel or
> #centos-stream in libera, or reply here.
> Cheers!
> --Brian
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=2059424

As a follow-up in this thread, all SIGs gpg public keys are now 
re-signed and available on https://www.centos.org/keys/

FWIW, this is the commit with the diff : 

Worth knowing that nothing WRT private keys was changed, so only public 
keys now (including sub keys) signed with SHA512 (and default for the 
Also worth knowing that RPM packages signed in the past were already 
signed with SHA256, so we don't have to worry about SHA1 for rpm 
packages (already done in the past)

As Brian said above, that means that SIGs can now start rebuilding their 
-release pkgs for Stream 9 with the re-signed gpg pub key , and inform 
their users about the change and manual intervention

Fabian Arrotin
The CentOS Project | https://www.centos.org
gpg key: 17F3B7A1 | twitter: @arrfab
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xA25DBAFB17F3B7A1.asc
Type: application/pgp-keys
Size: 12767 bytes
Desc: OpenPGP public key
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20220303/3128e815/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20220303/3128e815/attachment.sig>