Participants
Adrian Klaver
Adrian Klaver
Hans Schou
Hans Schou
Attachments
Show all attachments
Thread Outline
#1Hans SchouHans Schou
Jun 12, 2024
#2Adrian KlaverAdrian Klaverto Hans Schou (#1)
Jun 12, 2024
#3Adrian KlaverAdrian Klaverto Hans Schou (#1)
Jun 13, 2024

Oracle Linux 9 Detected RPMs with RSA/SHA1 signature

Started by Hans Schoualmost 2 years ago3 messagesgeneral
Jump to latest
#1Hans Schou
Hans Schou
hans.schou@gmail.com

Hi

On my test server I have Oracle Linux 8.10 installed.
Here I have installed postgresql 16.1 from postgresql.org repository.

Upgrade to Oracle Linux 9:
When doing a »leapp preupgrade --oraclelinux« I get the message below.

I want to have postgresql.org as my repo for PostgreSQL and Oracle Linux
for the rest. But it fails due to this SHA1 signature.

As Oracle Linux 8 since April 2024 now have PostgreSQL 16.1 in the repo I
could just disable the pg-repo and use the ol-repo. But is this the
recommended way to do it?

Output from /var/log/leapp/leapp-report.txt

Risk Factor: high (inhibitor)
Title: Detected RPMs with RSA/SHA1 signature
Summary: Digital signatures using SHA-1 hash algorithm are no longer
considered secure and are not allowed to be used on OL 9 systems by
default. This causes issues when using DNF/RPM to handle packages with
RSA/SHA1 signatures as the signature cannot be checked with the default
cryptographic policy. Any such packages cannot be installed, removed, or
replaced unless the signature check is disabled in dnf/rpm or SHA-1 is
enabled using non-default crypto-policies. For more information see the
following documents:
- Major changes in OL 9:
https://docs.oracle.com/en/operating-systems/oracle-linux/9/relnotes9.4/ol9-NewFeaturesandChanges.html
- Security Considerations in adopting OL 9:
https://docs.oracle.com/en/operating-systems/oracle-linux/9/security/security-ImplementingAdditionalSecurityFeaturesandBestPractices.html#system-crypto-policies
The list of problematic packages:
- libpq5 (DSA/SHA1, Fri 15 Sep 2023 12:11:13 PM CEST, Key ID
1f16d2e1442df0f8)
- postgresql16 (DSA/SHA1, Mon 20 Nov 2023 10:56:22 AM CET, Key ID
1f16d2e1442df0f8)
- pgdg-redhat-repo (DSA/SHA1, Thu 14 Sep 2023 02:41:37 PM CEST, Key ID
1f16d2e1442df0f8)
- postgresql16-libs (DSA/SHA1, Mon 20 Nov 2023 10:56:22 AM CET, Key ID
1f16d2e1442df0f8)
- postgresql16-contrib (DSA/SHA1, Mon 20 Nov 2023 10:56:23 AM CET, Key
ID 1f16d2e1442df0f8)
- postgresql16-server (DSA/SHA1, Mon 20 Nov 2023 10:56:22 AM CET, Key
ID 1f16d2e1442df0f8)
Related links:
- Major changes in OL 9:
https://docs.oracle.com/en/operating-systems/oracle-linux/9/relnotes9.4/ol9-NewFeaturesandChanges.html
- Security Considerations in adopting OL 9:
https://docs.oracle.com/en/operating-systems/oracle-linux/9/security/security-ImplementingAdditionalSecurityFeaturesandBestPractices.html#system-crypto-policies
Remediation: [hint] It is recommended that you contact your package vendor
and ask them for new builds signed with supported signatures and install
the new packages before the upgrade. If this is not possible you may
instead remove the incompatible packages.
Key: f16f40f49c2329a2691c0801b94d31b6b3d4f876

--
𝕳𝖆𝖓𝖘 𝕾𝖈𝖍𝖔𝖚
☏ ➁➁ ➅➃ ➇⓪ ➁⓪

#2Adrian Klaver
Adrian Klaver
adrian.klaver@aklaver.com
In reply to: Hans Schou (#1)
Re: Oracle Linux 9 Detected RPMs with RSA/SHA1 signature

On 6/12/24 02:54, Hans Schou wrote:

Hi

On my test server I have Oracle Linux 8.10 installed.
Here I have installed postgresql 16.1 from postgresql.org
<http://postgresql.org&gt; repository.

Upgrade to Oracle Linux 9:
When doing a »leapp preupgrade --oraclelinux« I get the message below.

I want to have postgresql.org <http://postgresql.org&gt; as my repo for
PostgreSQL and Oracle Linux for the rest. But it fails due to this SHA1
signature.

As Oracle Linux 8 since April 2024 now have PostgreSQL 16.1 in the repo
I could just disable the pg-repo and use the ol-repo. But is this the
recommended way to do it?

Take a look at:

https://yum.postgresql.org/news/pgdg-rpm-repo-gpg-key-update/

Also the contact info for the RH packagers:

https://yum.postgresql.org/contact/

--
Adrian Klaver
adrian.klaver@aklaver.com

#3Adrian Klaver
Adrian Klaver
adrian.klaver@aklaver.com
In reply to: Hans Schou (#1)
Re: Oracle Linux 9 Detected RPMs with RSA/SHA1 signature

On 6/13/24 06:55, Hans Schou wrote:

Reply to list also.
Ccing list

On Wed, Jun 12, 2024 at 4:34 PM Adrian Klaver <adrian.klaver@aklaver.com
<mailto:adrian.klaver@aklaver.com>> wrote:

Take a look at:
https://yum.postgresql.org/news/pgdg-rpm-repo-gpg-key-update/
<https://yum.postgresql.org/news/pgdg-rpm-repo-gpg-key-update/&gt;

Thanks. That was sorting it out.

In /var/log/leapp/leapp-report.txt I get »Packages not signed by Oracle
found on the system« but that is of course expected.

If anyone interested, I did:

dnf --disablerepo=* -y install
https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm <https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm&gt;

Then the repo was disabled and gpgkey changed, add new gpgkey in the
section:
/etc/yum.repos.d/pgdg-redhat-all.repo
[pgdg16]
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/PGDG-RPM-GPG-KEY-RHEL

and then I could run »leapp preupgrade --oraclelinux« and fix the other
errors.

--
𝕳𝖆𝖓𝖘 𝕾𝖈𝖍𝖔𝖚
☏ ➁➁ ➅➃ ➇⓪ ➁⓪

--
Adrian Klaver
adrian.klaver@aklaver.com

Import Notes
Reply to msg id not found: CAApBw35-Mab3VaoAARjU+KVJXCOnwqvExiG-bs-OrpRgCdayqw@mail.gmail.com
← Back to Topics