Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GoCD RPMs cannot be verified/installed with default RHEL 9 / CentOS Stream 9 configuration #10722

Open
chadlwilson opened this issue Aug 21, 2022 · 2 comments
Open

GoCD RPMs cannot be verified/installed with default RHEL 9 / CentOS Stream 9 configuration #10722

chadlwilson opened this issue Aug 21, 2022 · 2 comments
Assignees
@chadlwilson
Labels
bug installers no stalebot Don't mark this stale.

Comments

@chadlwilson
Copy link
Member

chadlwilson commented Aug 21, 2022
edited

Issue Type
  • Bug Report
Summary

Currently it is not possible to install the GoCD RPMs on RHEL 9 and Centos Stream 9 - and other derived repos such as Rocky, Alma, Fedora.

  • RHEL 9 ❌
  • CentOS Stream 9 ❌
  • Rocky Linux 9 ❌
  • AlmaLinux 9 ❌
  • Fedora 36 + 37 ✅

Fedora 39+ will break also according to their plans - it should be OK on Fedora 36-38 at the moment as they haven't yet changed policies to match the upstream RHEL/CentOS.

This appears to be because the GoCD GPG key includes at least one SHA-1 signature which are deprecated on RHEL 9 and friends. and removed in the default crypto policies.

We'd need to ensure all signatures are based on SHA256 digests to resolve this.

Environment

Tested with CentOS Steam 9

Steps to Reproduce
  1. docker run -it quay.io/centos/centos:stream9
  2. Follow instructions at https://docs.gocd.org/current/installation/install/server/linux.html#rpm-based-distributions-ie-redhatcentosfedora
  3. curl https://download.gocd.org/gocd.repo -o /etc/yum.repos.d/gocd.repo
  4. dnf install -y go-agent
Importing GPG key 0x8816C449:
 Userid     : "ThoughtWorks GoCD (GoCD Code signing keys) <[email protected]>"
 Fingerprint: 3222 59C8 2D30 82B3 E32A EC2E D884 3F28 8816 C449
 From       : https://download.gocd.org/GOCD-GPG-KEY.asc
warning: Signature not supported. Hash algorithm SHA1 not available.
Key import failed (code 2). Failing package is: go-agent-22.2.0-14697.noarch
 GPG Keys are configured as: https://download.gocd.org/GOCD-GPG-KEY.asc

This is also the same error when trying to build GoCD itself during attempt to sign on CentOS Stream 9 (example here)

Expected Results

It should be possible to install GoCD on CentOS Stream 9 without weakening ones local policy.

Actual Results
warning: Signature not supported. Hash algorithm SHA1 not available.
Key import failed (code 2). Failing package is: go-agent-22.2.0-14697.noarch
Possible Fix

Based on some local wrangling, it's possible to edit the key and force it to remove SHA-1 signatures.

This guide was somewhat helpful, however the defaults on Mac gpg-suite seemed to still include SHA-1 so I setpref manually in the below.

  1. Import the key (requires keyring and passphrase in gpg-passphrase) gpg --quiet --batch --passphrase-file gpg-passphrase --output - gpg-keys.pem.gpg | gpg --import --batch --quiet
  2. See the problem (algo 2 = SHA1): gpg -a --export 322259C82D3082B3E32AEC2ED8843F288816C449 | gpg --list-packets | grep -B2 "digest algo 2"
:signature packet: algo 1, keyid D8843F288816C449
  version 4, created 1418667531, md5len 0, sigclass 0x13
  digest algo 2, begin of digest 24 5c
  1. Edit the key gpg --edit-key 322259C82D3082B3E32AEC2ED8843F288816C449
  2. Set preferences to roughly the same as before, but removing SHA1 setpref SHA512,SHA384,SHA256,SHA224,AES256,AES192,AES,CAST5,3DES,ZLIB,BZIP2,ZIP
  3. quit and save the key.
  4. You can see it is gone now, as well as produce a diffable output with gpg -a --export 322259C82D3082B3E32AEC2ED8843F288816C449 | gpg --list-packets | grep -B2 "digest algo 2"

Then

  1. Export the edited key's public element gpg --armor --output GPG-KEY-GOCD.pem.gpg --export 0xD8843F288816C449
  2. Manually import the key rpm --import GOCD-GPG-KEY.pem.gpg
  3. Try installing again dnf -y install go-agent --> WORKS

We'd have to validate this doesn't cause weird regressions and then re-publish the key, including to download.gocd.org.

Workaround

Changing the crypto policies locally to explicitly allow SHA1 signatures inside keys, will allow the old key to be imported and RPMs validated.
sudo update-crypto-policies --set DEFAULT:SHA1

If using CentOS stream9-minimal

sudo microdnf -y install crypto-policies-scripts
sudo update-crypto-policies --set DEFAULT:SHA1`

# Now add the key
sudo curl https://download.gocd.org/gocd.repo -o /etc/yum.repos.d/gocd.repo
#... etc other steps
@chadlwilson chadlwilson self-assigned this Aug 21, 2022
@stale
Copy link

stale bot commented Nov 23, 2022

This issue has been automatically marked as stale because it has not had activity in the last 90 days.
If you can still reproduce this error on the master branch using local development environment or on the latest GoCD Release, please reply with all of the information you have about it in order to keep the issue open.
Thank you for all your contributions.

@stale stale bot added the stale label Nov 23, 2022
@chadlwilson chadlwilson added the no stalebot Don't mark this stale. label Nov 23, 2022
@stale stale bot removed the stale label Nov 23, 2022
@chadlwilson
Copy link
Member Author

https://www.redhat.com/en/blog/updating-gpg-keys-for-fedora-and-rhel

@chadlwilson chadlwilson mentioned this issue Apr 8, 2024
Merged
@BaurzhanSakhariev BaurzhanSakhariev mentioned this issue Apr 10, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chadlwilson chadlwilson

Labels
bug installers no stalebot Don't mark this stale.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@chadlwilson