[CentOS-devel] GPG check FAILED using CentOS Stream 9 Extras and other SIG Keys

Thu Mar 3 08:16:39 UTC 2022
Sandro Bonazzola <sbonazzo at redhat.com>

Il giorno gio 3 mar 2022 alle ore 09:15 Fabian Arrotin <arrfab at centos.org>
ha scritto:

> On 03/03/2022 04:11, Brian Stinson wrote:
> > Hi Folks,
> >
> > OpenSSL in CentOS Stream and RHEL 9 intends to remove the sha1
> > algorithm, and recently a build landed that makes this change.
> >
> > When that build first went to testing we noticed that the CentOS SIG
> > rpm signing keys (including the one enabled by default for Extras)
> > contained a sha1 signature on one of the subkeys, which caused trouble
> > validating rpms.
> >
> > We have begun to mitigate this by re-signing the offending subkey in
> > the Extras signing key and are currently pushing a compose to the
> > mirrors. If you've previously imported the Extras key (like if you've
> > installed a SIG centos-release package on your system), you may notice
> > messages during an rpm transaction like:
> >
> > `Key import failed (code 2)`
> >
> > followed by
> >
> > `Error: GPG check FAILED`
> >
> > To continue you will need to update to centos-gpg-keys-9.0-12.el9
> > (plus the corresponding centos-stream-release package) and perform a
> > manual step:
> >
> > `rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Extras-SHA512`
> >
> > Since all of the SIG keys are affected as well, we are working on
> > re-signing subkeys for those SIGs that are currently shipping content
> > for CentOS Stream 9. We will post links to the updated pubkeys and SIG
> > leaders will need to rebuild their centos-release packages to include
> > these new keys. We expect references to those new keys to be published
> > in the next couple of days.
> >
> > If there are any questions please find us in #centos-devel or
> > #centos-stream in libera, or reply here.
> >
> > Cheers!
> > --Brian
> >
> > References:
> > https://bugzilla.redhat.com/show_bug.cgi?id=2059424
> >
>
> As a follow-up in this thread, all SIGs gpg public keys are now
> re-signed and available on https://www.centos.org/keys/
>
> FWIW, this is the commit with the diff :
>
> https://git.centos.org/centos/centos.org/c/ea540d5b2eeebedaff28b0ef504b58304e5444a7?branch=main
>
> Worth knowing that nothing WRT private keys was changed, so only public
> keys now (including sub keys) signed with SHA512 (and default for the
> future)
> Also worth knowing that RPM packages signed in the past were already
> signed with SHA256, so we don't have to worry about SHA1 for rpm
> packages (already done in the past)
>
> As Brian said above, that means that SIGs can now start rebuilding their
> -release pkgs for Stream 9 with the re-signed gpg pub key , and inform
> their users about the change and manual intervention
>

Thanks, starting to update Virt SIG



>
> --
> Fabian Arrotin
> The CentOS Project | https://www.centos.org
> gpg key: 17F3B7A1 | twitter: @arrfab
> _______________________________________________
> CentOS-devel mailing list
> CentOS-devel at centos.org
> https://lists.centos.org/mailman/listinfo/centos-devel
>


-- 

Sandro Bonazzola

MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV

Red Hat EMEA <https://www.redhat.com/>

sbonazzo at redhat.com
<https://www.redhat.com/>

*Red Hat respects your work life balance. Therefore there is no need to
answer this email out of your office hours.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20220303/7e9e842a/attachment-0002.html>