[CentOS] Update RPM GPG key for EL9

Thu Jun 2 15:01:44 UTC 2022
Orion Poplawski <orion at nwra.com>

On 6/1/22 23:40, Fabian Arrotin wrote:
> On 02/06/2022 00:22, Orion Poplawski wrote:
>> On 6/1/22 13:43, Fabian Arrotin wrote:
>>> On 01/06/2022 19:51, Orion Poplawski wrote:
>>>> Looks like the GPG key we use to sign our RPMs is not longer good with EL9:
>>>>
>>>> # rpm --import RPM-GPG-KEY-nwra
>>>> error: RPM-GPG-KEY-nwra: key 1 import failed
>>>>
>>>> gpg key info:
>>>>
>>>> sec  rsa2048/35DDB0B86218AC2F
>>>>        created: 2017-08-16  expires: never       usage: SC
>>>>        trust: ultimate      validity: ultimate
>>>> ssb  rsa2048/6A7FBC1E9DB22E8E
>>>>        created: 2017-08-16  expires: never       usage: E
>>>>
>>>> Can someone explain what I need to do to make things compatible with EL9?
>>>>
>>>> Thank you!
>>>>
>>>
>>> Just ensure that it's not using SHA1, which was deprecated, reason why the
>>> CentOS keys had to be re-signed with newer algo too
>>>
>>> See this thread :
>>> https://lists.centos.org/pipermail/centos-devel/2022-March/120263.html
>>
>> Thanks - but I don't know how to check if it is using SHA1 or how to
>> regenerate it with SHA512.
>>
> 
> You can always check the digest algo on existing public keys with --list-packets
> 
> Example for the older Cloud SIG pub key (but same for other keys) :
> 
> curl --silent
> https://git.centos.org/centos/centos.org/raw/26a8f19095de699769b00109a1d69b37474ec388/f/keys/RPM-GPG-KEY-CentOS-SIG-Cloud|gpg
> --list-packets|grep "digest algo"
>     digest algo 2, begin of digest 01 35
> 
> digest algo 2 is the problem , as it's SHA1, which is now deprecated
> 
> So you don't need to create new key, but just re-sign with better algo
> Just ensure that you have 'cert-digest-algo SHA512' in ~/.gnupg/gpg.conf and
> re-signing existing gpg key[s] would work
> The easiest way to have these re-signed is to 'gpg --edit-key <key_id>` , then
> edit both primary and sub, setting different expiration date (even if already
> set to never), save and then export with 'gpg --export --armor' again
> 
> You can see the difference on the public key:
> curl --silent
> https://git.centos.org/centos/centos.org/raw/main/f/keys/RPM-GPG-KEY-CentOS-SIG-Cloud|gpg
> --list-packets|grep "digest algo"
>     digest algo 10, begin of digest 73 02
> 
> Which shows a better signature algo and it can be imported now on
> RHEL9/Stream9 and others

Thank you!  Exactly what I needed.


-- 
Orion Poplawski
IT Systems Manager                         720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/