RPM-GPG-KEY-foreman from 2014 - SHA1 hash deprecated?

swefredde · May 15, 2024, 2:20pm

Hi,

I’m trying to setup openscap on my newly provisioned CentOS8- and 9 servers but ran into this error when trying to run the ansible role “theforeman.foreman_scap_client” from my foreman server (version 3.9.1). Is this a known problem that I can easily fix? Package I want to install (rubygem-foreman_scap_client-0.5.2) is from Foreman-client-EL9 repo (Index of /client/3.9/el9/x86_64) that is using the RPM-GPG-KEY-foreman. According to this link that key is from 2014. Maybe it’s to weak for todays security-policies?

https://yum.theforeman.org/

[root@carl-conch rpm-gpg]# cat /etc/redhat-release
CentOS Stream release 9
[root@carl-conch rpm-gpg]# LANG=C rpm --import RPM-GPG-KEY-foreman
warning: Signature not supported. Hash algorithm SHA1 not available.
error: RPM-GPG-KEY-foreman: key 1 import failed.

Regards,
/Fredrik

evgeni · May 15, 2024, 3:13pm

We probably should delete that file in there. It’s unused.

The page also reads:
Release packages are signed with a new key for each major release. The public key is available in the RPM-GPG-KEY-foreman file within each version directory or the foreman-release RPMs.

have you tried those?

swefredde · May 15, 2024, 3:22pm

That did the trick. I actually think I had tried those before because I remember setting this up some year or two back. Maybe that’s why I read docs a little sloppy.

Thanks