You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently it is not possible to install the GoCD RPMs on RHEL 9 and Centos Stream 9 - and other derived repos such as Rocky, Alma, Fedora.
RHEL 9 ❌
CentOS Stream 9 ❌
Rocky Linux 9 ❌
AlmaLinux 9 ❌
Fedora 36 + 37 ✅
Fedora 39+ will break also according to their plans - it should be OK on Fedora 36-38 at the moment as they haven't yet changed policies to match the upstream RHEL/CentOS.
This appears to be because the GoCD GPG key includes at least one SHA-1 signature which are deprecated on RHEL 9 and friends. and removed in the default crypto policies.
We'd need to ensure all signatures are based on SHA256 digests to resolve this.
This is also the same error when trying to build GoCD itself during attempt to sign on CentOS Stream 9 (example here)
Expected Results
It should be possible to install GoCD on CentOS Stream 9 without weakening ones local policy.
Actual Results
warning: Signature not supported. Hash algorithm SHA1 not available.
Key import failed (code 2). Failing package is: go-agent-22.2.0-14697.noarch
Possible Fix
Based on some local wrangling, it's possible to edit the key and force it to remove SHA-1 signatures.
This guide was somewhat helpful, however the defaults on Mac gpg-suite seemed to still include SHA-1 so I setpref manually in the below.
Import the key (requires keyring and passphrase in gpg-passphrase) gpg --quiet --batch --passphrase-file gpg-passphrase --output - gpg-keys.pem.gpg | gpg --import --batch --quiet
See the problem (algo 2 = SHA1): gpg -a --export 322259C82D3082B3E32AEC2ED8843F288816C449 | gpg --list-packets | grep -B2 "digest algo 2"
:signature packet: algo 1, keyid D8843F288816C449
version 4, created 1418667531, md5len 0, sigclass 0x13
digest algo 2, begin of digest 24 5c
Edit the key gpg --edit-key 322259C82D3082B3E32AEC2ED8843F288816C449
Set preferences to roughly the same as before, but removing SHA1 setpref SHA512,SHA384,SHA256,SHA224,AES256,AES192,AES,CAST5,3DES,ZLIB,BZIP2,ZIP
quit and save the key.
You can see it is gone now, as well as produce a diffable output with gpg -a --export 322259C82D3082B3E32AEC2ED8843F288816C449 | gpg --list-packets | grep -B2 "digest algo 2"
Then
Export the edited key's public element gpg --armor --output GPG-KEY-GOCD.pem.gpg --export 0xD8843F288816C449
Manually import the key rpm --import GOCD-GPG-KEY.pem.gpg
Try installing again dnf -y install go-agent --> WORKS
We'd have to validate this doesn't cause weird regressions and then re-publish the key, including to download.gocd.org.
Workaround
Changing the crypto policies locally to explicitly allow SHA1 signatures inside keys, will allow the old key to be imported and RPMs validated. sudo update-crypto-policies --set DEFAULT:SHA1
If using CentOS stream9-minimal
sudo microdnf -y install crypto-policies-scripts
sudo update-crypto-policies --set DEFAULT:SHA1`# Now add the keysudo curl https://download.gocd.org/gocd.repo -o /etc/yum.repos.d/gocd.repo#... etc other steps
The text was updated successfully, but these errors were encountered:
This issue has been automatically marked as stale because it has not had activity in the last 90 days.
If you can still reproduce this error on the master branch using local development environment or on the latest GoCD Release, please reply with all of the information you have about it in order to keep the issue open.
Thank you for all your contributions.
Issue Type
Summary
Currently it is not possible to install the GoCD RPMs on RHEL 9 and Centos Stream 9 - and other derived repos such as Rocky, Alma, Fedora.
Fedora 39+ will break also according to their plans - it should be OK on Fedora 36-38 at the moment as they haven't yet changed policies to match the upstream RHEL/CentOS.
This appears to be because the GoCD GPG key includes at least one
SHA-1
signature which are deprecated on RHEL 9 and friends. and removed in the default crypto policies.We'd need to ensure all signatures are based on SHA256 digests to resolve this.
Environment
Tested with CentOS Steam 9
Steps to Reproduce
docker run -it quay.io/centos/centos:stream9
curl https://download.gocd.org/gocd.repo -o /etc/yum.repos.d/gocd.repo
dnf install -y go-agent
This is also the same error when trying to build GoCD itself during attempt to sign on CentOS Stream 9 (example here)
Expected Results
It should be possible to install GoCD on CentOS Stream 9 without weakening ones local policy.
Actual Results
Possible Fix
Based on some local wrangling, it's possible to edit the key and force it to remove SHA-1 signatures.
This guide was somewhat helpful, however the defaults on Mac
gpg-suite
seemed to still include SHA-1 so Isetpref
manually in the below.gpg-passphrase
)gpg --quiet --batch --passphrase-file gpg-passphrase --output - gpg-keys.pem.gpg | gpg --import --batch --quiet
gpg -a --export 322259C82D3082B3E32AEC2ED8843F288816C449 | gpg --list-packets | grep -B2 "digest algo 2"
gpg --edit-key 322259C82D3082B3E32AEC2ED8843F288816C449
setpref SHA512,SHA384,SHA256,SHA224,AES256,AES192,AES,CAST5,3DES,ZLIB,BZIP2,ZIP
quit
and save the key.gpg -a --export 322259C82D3082B3E32AEC2ED8843F288816C449 | gpg --list-packets | grep -B2 "digest algo 2"
Then
gpg --armor --output GPG-KEY-GOCD.pem.gpg --export 0xD8843F288816C449
rpm --import GOCD-GPG-KEY.pem.gpg
dnf -y install go-agent
--> WORKSWe'd have to validate this doesn't cause weird regressions and then re-publish the key, including to
download.gocd.org
.Workaround
Changing the crypto policies locally to explicitly allow SHA1 signatures inside keys, will allow the old key to be imported and RPMs validated.
sudo update-crypto-policies --set DEFAULT:SHA1
If using CentOS stream9-minimal
The text was updated successfully, but these errors were encountered: