[CentOS] Update RPM GPG key for EL9

Thu Jun 2 05:40:35 UTC 2022
Fabian Arrotin <arrfab at centos.org>

On 02/06/2022 00:22, Orion Poplawski wrote:
> On 6/1/22 13:43, Fabian Arrotin wrote:
>> On 01/06/2022 19:51, Orion Poplawski wrote:
>>> Looks like the GPG key we use to sign our RPMs is not longer good with EL9:
>>>
>>> # rpm --import RPM-GPG-KEY-nwra
>>> error: RPM-GPG-KEY-nwra: key 1 import failed
>>>
>>> gpg key info:
>>>
>>> sec  rsa2048/35DDB0B86218AC2F
>>>        created: 2017-08-16  expires: never       usage: SC
>>>        trust: ultimate      validity: ultimate
>>> ssb  rsa2048/6A7FBC1E9DB22E8E
>>>        created: 2017-08-16  expires: never       usage: E
>>>
>>> Can someone explain what I need to do to make things compatible with EL9?
>>>
>>> Thank you!
>>>
>>
>> Just ensure that it's not using SHA1, which was deprecated, reason why the
>> CentOS keys had to be re-signed with newer algo too
>>
>> See this thread :
>> https://lists.centos.org/pipermail/centos-devel/2022-March/120263.html
> 
> Thanks - but I don't know how to check if it is using SHA1 or how to
> regenerate it with SHA512.
> 

You can always check the digest algo on existing public keys with 
--list-packets

Example for the older Cloud SIG pub key (but same for other keys) :

curl --silent 
https://git.centos.org/centos/centos.org/raw/26a8f19095de699769b00109a1d69b37474ec388/f/keys/RPM-GPG-KEY-CentOS-SIG-Cloud|gpg 
--list-packets|grep "digest algo"
	digest algo 2, begin of digest 01 35

digest algo 2 is the problem , as it's SHA1, which is now deprecated

So you don't need to create new key, but just re-sign with better algo
Just ensure that you have 'cert-digest-algo SHA512' in ~/.gnupg/gpg.conf 
and re-signing existing gpg key[s] would work
The easiest way to have these re-signed is to 'gpg --edit-key <key_id>` 
, then edit both primary and sub, setting different expiration date 
(even if already set to never), save and then export with 'gpg --export 
--armor' again

You can see the difference on the public key:
curl --silent 
https://git.centos.org/centos/centos.org/raw/main/f/keys/RPM-GPG-KEY-CentOS-SIG-Cloud|gpg 
--list-packets|grep "digest algo"
	digest algo 10, begin of digest 73 02

Which shows a better signature algo and it can be imported now on 
RHEL9/Stream9 and others

-- 
Fabian Arrotin
The CentOS Project | https://www.centos.org
gpg key: 17F3B7A1 | twitter: @arrfab
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20220602/f5ae31d5/attachment-0003.sig>