Release packages for RHEL / CentOS 8 and 9

[proddata]

Problem Statement

Provide (yum/rpm) releases packages for RHEL and CentOS 8 and 9 (and other compatible Linux distributions)

Possible Solutions

No response

Considered Alternatives

No response

[amotl]

Hi.

I've just verified the situation on both CentOS Linux 8 and CentOS Stream 9 with our existing packages / package repository for CentOS 7.

Status

While running the canonical setup guidelines for Red Hat based systems ¹ seems to work successful on CentOS 8, importing the GPG key fails on CentOS 9.

Problem

On the most recent release of CentOS 9, it reports:

[root@racker-centos-9 /]# rpm --import https://cdn.crate.io/downloads/yum/RPM-GPG-KEY-crate
warning: Signature not supported. Hash algorithm SHA1 not available.
error: https://cdn.crate.io/downloads/yum/RPM-GPG-KEY-crate: key 1 import failed.

On an earlier release, it just reported:

[root@racker-centos-9 /]# rpm --import https://cdn.crate.io/downloads/yum/RPM-GPG-KEY-crate
error: https://cdn.crate.io/downloads/yum/RPM-GPG-KEY-crate: key 1 import failed.

Workaround

While Red Hat Enterprise Linux 9 (RHEL 9) deprecated SHA-1 for signing for security reasons, it is still used by many for signing packages ².

A workaround exists to temporarily allow SHA1 for the purpose of installing the package ³.

update-crypto-policies --set DEFAULT:SHA1
# Run package installation procedure.
update-crypto-policies --set DEFAULT:NO-SHA1

However, this will not cover package upgrade situations, so one would have to leave SHA1 enabled.

$ yum update
warning: Signature not supported. Hash algorithm SHA1 not available.

With kind regards,
Andreas.

Footnotes

1. https://crate.io/docs/crate/tutorials/en/latest/self-hosted/red-hat.html ↩

2. https://www.redhat.com/en/blog/rhel-security-sha-1-package-signatures-distrusted-rhel-9 ↩

3. https://github.com/k3s-io/k3s/issues/5588 ↩

[BaurzhanSakhariev]

Related: elastic/elasticsearch#85876 and gocd/gocd#10722 (both applying same workaround)

[seut]

We've changed our signing key to support (and prefer) the SHA512 algorithm using the great example at https://github.com/chrisberkhout/sha1-key-fix/blob/master/SHA1KeyFix.ipynb.
The public key at https://cdn.crate.io/downloads/yum/RPM-GPG-KEY-crate was updated also, so installations on RHEL 8/9 should work now.

[amotl]

Excellent. Thank you very much.

[matriv]

For future reference:
We tested and verified that:

• with the updated key, .rpm and .deb users with the old public key can install new packages, signed with the updated private key.
• .rpm and .deb new users, who download the new public key can also install old packages, signed with the old private key.