Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Repo key cannot be imported on RHEL-9 #89487

Closed
assen-totin opened this issue Aug 20, 2022 · 2 comments
Closed

Repo key cannot be imported on RHEL-9 #89487

assen-totin opened this issue Aug 20, 2022 · 2 comments
Labels
>bug :Core/Infra/Settings Settings infrastructure and APIs Team:Core/Infra Meta label for core/infra team

Comments

@assen-totin
Copy link

Elasticsearch Version

any

Installed Plugins

No response

Java Version

any

OS Version

RHEL-9

Problem Description

RHEL-9 disabled the usage of the long-deprecate SHA-1 for signatures.

The ES repo key dates form 2013 (when SHA-1 was already deprecated) and it used SHA-1. This means that the ES repo cannot be added to RHEL-9, unless its security settings are changed, which conflicts with security certification requirements.

You need to generate a new key that will use a modern-day algorithm like SHA-256 and re-sign your packages.

Current key info - look for "digest algo 2", this denotes SHA-1; once you switch to SHA-256, it will say something like "digest algo 8":

[assen.totin@archimed Desktop]$ gpg -vv GPG-KEY-elasticsearch
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: armor: BEGIN PGP PUBLIC KEY BLOCK
gpg: armor header: Version: GnuPG v2.0.14 (GNU/Linux)
# off=0 ctb=99 tag=6 hlen=3 plen=269
:public key packet:
	version 4, algo 1, created 1379344074, expires 0
	pkey[0]: [2048 bits]
	pkey[1]: [17 bits]
	keyid: D27D666CD88E42B4
# off=272 ctb=b4 tag=13 hlen=2 plen=69
:user ID packet: "Elasticsearch (Elasticsearch Signing Key) <[email protected]>"
# off=343 ctb=89 tag=2 hlen=3 plen=312
:signature packet: algo 1, keyid D27D666CD88E42B4
	version 4, created 1379344074, md5len 0, sigclass 0x13
	digest algo 2, begin of digest 73 8c
	hashed subpkt 2 len 4 (sig created 2013-09-16)
	hashed subpkt 27 len 1 (key flags: 03)
	hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
	hashed subpkt 21 len 5 (pref-hash-algos: 8 2 9 10 11)
	hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
	hashed subpkt 30 len 1 (features: 01)
	hashed subpkt 23 len 1 (keyserver preferences: 80)
	subpkt 16 len 8 (issuer key ID D27D666CD88E42B4)
	data: [2048 bits]
# off=658 ctb=b9 tag=14 hlen=3 plen=269
:public sub key packet:
	version 4, algo 1, created 1379344074, expires 0
	pkey[0]: [2048 bits]
	pkey[1]: [17 bits]
	keyid: AB6B7FCB60D31954
# off=930 ctb=89 tag=2 hlen=3 plen=287
:signature packet: algo 1, keyid D27D666CD88E42B4
	version 4, created 1379344074, md5len 0, sigclass 0x18
	digest algo 2, begin of digest 73 73
	hashed subpkt 2 len 4 (sig created 2013-09-16)
	hashed subpkt 27 len 1 (key flags: 0C)
	subpkt 16 len 8 (issuer key ID D27D666CD88E42B4)
	data: [2048 bits]
pub   rsa2048 2013-09-16 [SC]
      46095ACC8548582C1A2699A9D27D666CD88E42B4
uid           Elasticsearch (Elasticsearch Signing Key) <[email protected]>
sig        D27D666CD88E42B4 2013-09-16   [selfsig]
sub   rsa2048 2013-09-16 [E]
sig        D27D666CD88E42B4 2013-09-16   [keybind]

Steps to Reproduce

Try to import the key into a RHEL-9 system. Result is:

Importing GPG key 0xD88E42B4:
 Userid     : "Elasticsearch (Elasticsearch Signing Key) <[email protected]>"
 Fingerprint: 4609 5ACC 8548 582C 1A26 99A9 D27D 666C D88E 42B4
 From       : https://packages.elastic.co/GPG-KEY-elasticsearch
Is this ok [y/N]: y
Key import failed (code 2). Failing package is: elasticsearch-8.3.3-1.x86_64

Logs (if relevant)

No response

@assen-totin assen-totin added >bug needs:triage Requires assignment of a team area label labels Aug 20, 2022
@gmarouli gmarouli added :Core/Infra/Settings Settings infrastructure and APIs and removed needs:triage Requires assignment of a team area label labels Aug 22, 2022
@elasticsearchmachine elasticsearchmachine added the Team:Core/Infra Meta label for core/infra team label Aug 22, 2022
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra (Team:Core/Infra)

@mark-vieira
Copy link
Contributor

Closing as a duplicate of #85876.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
>bug :Core/Infra/Settings Settings infrastructure and APIs Team:Core/Infra Meta label for core/infra team
Projects
None yet
Development

No branches or pull requests

4 participants