Packages signed with SHA-1 cannot be installed or upgraded on RHEL9 systems

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Any current pre-built rpm packages.

Describe the issue:
The rpm packages are signed with SHA-1, which is considered to be insecure and already not available by default on RHEL9 systems (like CentOS 9). This issue occurred while writing a puppet module for opensearch (GitHub - voxpupuli/puppet-opensearch: Puppet module to manage opensearch) and using the current repository.

Please switch to SHA-256 or SHA-512.

See also: Enhancing RHEL Security: Understanding SHA-1 deprecation on RHEL 9

Configuration:
%

Relevant Logs or Screenshots:

  Error: Execution of '/usr/bin/dnf -d 0 -e 1 -y install opensearch' returned 1: Importing GPG key 0x9310D3FC:
   Userid     : "OpenSearch project <opensearch@amazon.com>"
   Fingerprint: C5B7 4989 65EF D1C2 924B A9D5 39D3 1987 9310 D3FC
   From       : https://artifacts.opensearch.org/publickeys/opensearch.pgp
  Importing GPG key 0x9310D3FC:
   Userid     : "OpenSearch project <opensearch@amazon.com>"
   Fingerprint: C5B7 4989 65EF D1C2 924B A9D5 39D3 1987 9310 D3FC
   From       : https://artifacts.opensearch.org/publickeys/opensearch.pgp
  warning: Signature not supported. Hash algorithm SHA1 not available.
  Key import failed (code 2). Failing package is: opensearch-2.6.0-1.x86_64
   GPG Keys are configured as: https://artifacts.opensearch.org/publickeys/opensearch.pgp
  Error: GPG check FAILED

@davelago @peternied @scrawfor - can I get your eyes on this? Thank you.

@bbarani This looks related to artifact signing for RPM I think you might better know who can engage on this

Hello,

We are currently researching on migrating the keys from sha-1 to sha-2.

Per our compatibility page RHEL9 has not been officially supported yet and the current keys should work as-is on supported Operating system.

We are currently testing backward compatibility of sha-1 → sha-2 signed artifacts on supported Operating system. Having said that, we are targeting to use sha-2 starting OpenSearch 2.8.0 release at this point in time. You can track the status of this migration using this Github issue. Thanks

2 Likes

Thanks for the informations.

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.