Обсуждение: Oracle Linux 9 Detected RPMs with RSA/SHA1 signature
Hi
On my test server I have Oracle Linux 8.10 installed.
Here I have installed postgresql 16.1 from postgresql.org repository.
Upgrade to Oracle Linux 9:
When doing a »leapp preupgrade --oraclelinux« I get the message below.
I want to have postgresql.org as my repo for PostgreSQL and Oracle Linux for the rest. But it fails due to this SHA1 signature.
As Oracle Linux 8 since April 2024 now have PostgreSQL 16.1 in the repo I could just disable the pg-repo and use the ol-repo. But is this the recommended way to do it?
Output from /var/log/leapp/leapp-report.txt
Risk Factor: high (inhibitor)
Title: Detected RPMs with RSA/SHA1 signature
Summary: Digital signatures using SHA-1 hash algorithm are no longer considered secure and are not allowed to be used on OL 9 systems by default. This causes issues when using DNF/RPM to handle packages with RSA/SHA1 signatures as the signature cannot be checked with the default cryptographic policy. Any such packages cannot be installed, removed, or replaced unless the signature check is disabled in dnf/rpm or SHA-1 is enabled using non-default crypto-policies. For more information see the following documents:
- Major changes in OL 9: https://docs.oracle.com/en/operating-systems/oracle-linux/9/relnotes9.4/ol9-NewFeaturesandChanges.html
- Security Considerations in adopting OL 9: https://docs.oracle.com/en/operating-systems/oracle-linux/9/security/security-ImplementingAdditionalSecurityFeaturesandBestPractices.html#system-crypto-policies
The list of problematic packages:
- libpq5 (DSA/SHA1, Fri 15 Sep 2023 12:11:13 PM CEST, Key ID 1f16d2e1442df0f8)
- postgresql16 (DSA/SHA1, Mon 20 Nov 2023 10:56:22 AM CET, Key ID 1f16d2e1442df0f8)
- pgdg-redhat-repo (DSA/SHA1, Thu 14 Sep 2023 02:41:37 PM CEST, Key ID 1f16d2e1442df0f8)
- postgresql16-libs (DSA/SHA1, Mon 20 Nov 2023 10:56:22 AM CET, Key ID 1f16d2e1442df0f8)
- postgresql16-contrib (DSA/SHA1, Mon 20 Nov 2023 10:56:23 AM CET, Key ID 1f16d2e1442df0f8)
- postgresql16-server (DSA/SHA1, Mon 20 Nov 2023 10:56:22 AM CET, Key ID 1f16d2e1442df0f8)
Related links:
- Major changes in OL 9: https://docs.oracle.com/en/operating-systems/oracle-linux/9/relnotes9.4/ol9-NewFeaturesandChanges.html
- Security Considerations in adopting OL 9: https://docs.oracle.com/en/operating-systems/oracle-linux/9/security/security-ImplementingAdditionalSecurityFeaturesandBestPractices.html#system-crypto-policies
Remediation: [hint] It is recommended that you contact your package vendor and ask them for new builds signed with supported signatures and install the new packages before the upgrade. If this is not possible you may instead remove the incompatible packages.
Key: f16f40f49c2329a2691c0801b94d31b6b3d4f876
Title: Detected RPMs with RSA/SHA1 signature
Summary: Digital signatures using SHA-1 hash algorithm are no longer considered secure and are not allowed to be used on OL 9 systems by default. This causes issues when using DNF/RPM to handle packages with RSA/SHA1 signatures as the signature cannot be checked with the default cryptographic policy. Any such packages cannot be installed, removed, or replaced unless the signature check is disabled in dnf/rpm or SHA-1 is enabled using non-default crypto-policies. For more information see the following documents:
- Major changes in OL 9: https://docs.oracle.com/en/operating-systems/oracle-linux/9/relnotes9.4/ol9-NewFeaturesandChanges.html
- Security Considerations in adopting OL 9: https://docs.oracle.com/en/operating-systems/oracle-linux/9/security/security-ImplementingAdditionalSecurityFeaturesandBestPractices.html#system-crypto-policies
The list of problematic packages:
- libpq5 (DSA/SHA1, Fri 15 Sep 2023 12:11:13 PM CEST, Key ID 1f16d2e1442df0f8)
- postgresql16 (DSA/SHA1, Mon 20 Nov 2023 10:56:22 AM CET, Key ID 1f16d2e1442df0f8)
- pgdg-redhat-repo (DSA/SHA1, Thu 14 Sep 2023 02:41:37 PM CEST, Key ID 1f16d2e1442df0f8)
- postgresql16-libs (DSA/SHA1, Mon 20 Nov 2023 10:56:22 AM CET, Key ID 1f16d2e1442df0f8)
- postgresql16-contrib (DSA/SHA1, Mon 20 Nov 2023 10:56:23 AM CET, Key ID 1f16d2e1442df0f8)
- postgresql16-server (DSA/SHA1, Mon 20 Nov 2023 10:56:22 AM CET, Key ID 1f16d2e1442df0f8)
Related links:
- Major changes in OL 9: https://docs.oracle.com/en/operating-systems/oracle-linux/9/relnotes9.4/ol9-NewFeaturesandChanges.html
- Security Considerations in adopting OL 9: https://docs.oracle.com/en/operating-systems/oracle-linux/9/security/security-ImplementingAdditionalSecurityFeaturesandBestPractices.html#system-crypto-policies
Remediation: [hint] It is recommended that you contact your package vendor and ask them for new builds signed with supported signatures and install the new packages before the upgrade. If this is not possible you may instead remove the incompatible packages.
Key: f16f40f49c2329a2691c0801b94d31b6b3d4f876
--
𝕳𝖆𝖓𝖘 𝕾𝖈𝖍𝖔𝖚
☏ ➁➁ ➅➃ ➇⓪ ➁⓪
On 6/12/24 02:54, Hans Schou wrote: > Hi > > On my test server I have Oracle Linux 8.10 installed. > Here I have installed postgresql 16.1 from postgresql.org > <http://postgresql.org> repository. > > Upgrade to Oracle Linux 9: > When doing a »leapp preupgrade --oraclelinux« I get the message below. > > I want to have postgresql.org <http://postgresql.org> as my repo for > PostgreSQL and Oracle Linux for the rest. But it fails due to this SHA1 > signature. > > As Oracle Linux 8 since April 2024 now have PostgreSQL 16.1 in the repo > I could just disable the pg-repo and use the ol-repo. But is this the > recommended way to do it? > Take a look at: https://yum.postgresql.org/news/pgdg-rpm-repo-gpg-key-update/ Also the contact info for the RH packagers: https://yum.postgresql.org/contact/ -- Adrian Klaver adrian.klaver@aklaver.com
On 6/13/24 06:55, Hans Schou wrote: Reply to list also. Ccing list > > > On Wed, Jun 12, 2024 at 4:34 PM Adrian Klaver <adrian.klaver@aklaver.com > <mailto:adrian.klaver@aklaver.com>> wrote: > > > Take a look at: > https://yum.postgresql.org/news/pgdg-rpm-repo-gpg-key-update/ > <https://yum.postgresql.org/news/pgdg-rpm-repo-gpg-key-update/> > > > Thanks. That was sorting it out. > > In /var/log/leapp/leapp-report.txt I get »Packages not signed by Oracle > found on the system« but that is of course expected. > > If anyone interested, I did: > > dnf --disablerepo=* -y install > https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm <https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm> > > Then the repo was disabled and gpgkey changed, add new gpgkey in the > section: > /etc/yum.repos.d/pgdg-redhat-all.repo > [pgdg16] > enabled=1 > gpgkey=file:///etc/pki/rpm-gpg/PGDG-RPM-GPG-KEY-RHEL > > and then I could run »leapp preupgrade --oraclelinux« and fix the other > errors. > > -- > 𝕳𝖆𝖓𝖘 𝕾𝖈𝖍𝖔𝖚 > ☏ ➁➁ ➅➃ ➇⓪ ➁⓪ -- Adrian Klaver adrian.klaver@aklaver.com