You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The problem is that SHA-1 is considered weak and is disabled by default in RHEL9.
Example: # rpm -qi -p rundeck-cli-2.0.4-1.noarch.rpm warning: rundeck-cli-2.0.4-1.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID e5d5a125: NOKEY Name : rundeck-cli Epoch : 0 Version : 2.0.4 Release : 1 ... Signature : RSA/SHA1, Fri 03 Feb 2023 06:13:49 PM MET, Key ID d1d32028e5d5a125 ...
One possible solution would be explicitly requesting stronger digest-algo for the signature (e.g. by adding --digest-algo sha512 to the %__gpg_sign_cmd in .rpmmacros configuration file, but this depends on the release pipeline.
The text was updated successfully, but these errors were encountered:
gschueler
changed the title
Please do not use SHA-1 when signing RPMs
RUN-1688: Please do not use SHA-1 when signing RPMs
Oct 9, 2023
The key itself (found here? https://raw.githubusercontent.com/rundeck/packaging/main/pubring.gpg) seems to be 4096 bit RSA, using SHA-512 digest, but the RPMs signed by it still use SHA-1 for the signature (which I think is default on RHEL 7).
The problem is that SHA-1 is considered weak and is disabled by default in RHEL9.
Example:
# rpm -qi -p rundeck-cli-2.0.4-1.noarch.rpm warning: rundeck-cli-2.0.4-1.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID e5d5a125: NOKEY Name : rundeck-cli Epoch : 0 Version : 2.0.4 Release : 1 ... Signature : RSA/SHA1, Fri 03 Feb 2023 06:13:49 PM MET, Key ID d1d32028e5d5a125 ...
One possible solution would be explicitly requesting stronger digest-algo for the signature (e.g. by adding
--digest-algo sha512
to the %__gpg_sign_cmd in .rpmmacros configuration file, but this depends on the release pipeline.The text was updated successfully, but these errors were encountered: