Thruk
Thruk copied to clipboard
sni
RHEL 9 repo packages are signed with SHA-1 which is disabled in RHEL 9
Describe the bug SHA-1 has been disabled by default in RHEL 9 due to insecurity, see: https://www.redhat.com/en/blog/rhel-security-sha-1-package-signatures-distrusted-rhel-9
Thruk Version n/a
To Reproduce Steps to reproduce the behavior:
- Enable ConSol RHEL 9 stable repo on an RHEL 9 system
- Attempt to install thruk
Expected behavior Packages should install.
Actual behavior Packages are not installed.
warning: Signature not supported. Hash algorithm SHA1 not available.
Error: GPG check FAILED
Screenshots
Desktop (please complete the following information): n/a
Additional context Add any other context about the problem here.
does this look similar in your setup:
%> rpm -Kv libthruk-3.00-0.rhel9.x86_64.rpm
libthruk-3.00-0.rhel9.x86_64.rpm:
Header V4 RSA/SHA512 Signature, key ID a57b9ed7: OK
Header SHA256 digest: OK
Header SHA1 digest: OK
Payload SHA256 digest: OK
MD5 digest: OK
%> sha256sum libthruk-3.00-0.rhel9.x86_64.rpm
bb3686848010ee2a86a9d858db053a658290fe86fe6996e50dddab5944a7cd07 libthruk-3.00-0.rhel9.x86_64.rpm
Looks like there is a sha512 signature.
i don't have any rhel9 available, it works fine on rocky 9 and alma 9. Is this a redhat thing?
Interesting. Just tested on a standalone system using the repo directly and that worked fine. In the original example the repository is mirrored using Foreman/Satellite and a client of that is trying to install thruk, and failing.
I switched over to the OpenSuse Build Service repo and that worked fine using Foreman/Satellite.
Using the repo directly:
ConSol labs repo: works OpenSuse Build Service: works
Using the repo from a Foreman mirror:
ConSol labs repo: fails OpenSuse Build Service works
I'll test this more at work next week.
Update: I think in my previous test I used the stock yum.repo file from the repo RPM, which has gpgcheck=0, and that's why it worked.
I just tested again with gpgcheck=1 and it fails both directly from labs.consol.de and when mirrored in Foreman.
It looks like the gpg key needs to be re-signed with SHA512 self-signature. The GPG key itself is signed using SHA1:
root@hostname:/etc/yum.repos.d# curl -O http://labs.consol.de/repo/stable/RPM-GPG-KEY
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1029 100 1029 0 0 8039 0 --:--:-- --:--:-- --:--:-- 8039
root@hostname:/etc/yum.repos.d# rpm --import RPM-GPG-KEY
warning: Signature not supported. Hash algorithm SHA1 not available.
error: RPM-GPG-KEY: key 1 import failed.
i changed the rhel9 repository to a rsa4096 key which should be sufficient for rhel9. Starting with the testing repository if you want to give it a try.
What do you mean with rsa4096 key?
The key signing algorithm is still SHA-1:
labs_consol_testing
6.1 kB/s | 1.0 kB 00:00
Importing GPG key 0xA57B9ED7:
Userid : "Sven Nierlein <[email protected]>"
Fingerprint: F2F9 7737 B59A CCC9 2C23 F8C7 F8C1 CA08 A57B 9ED7
From : https://labs.consol.de/repo/testing/RPM-GPG-KEY
Is this ok [y/N]: y
warning: Signature not supported. Hash algorithm SHA1 not available.
Key import failed (code 2). Failing package is: libthruk-3.20-0.x86_64
GPG Keys are configured as: https://labs.consol.de/repo/testing/RPM-GPG-KEY
Public key for thruk-3.21.20250327-13899.1.rhel9.x86_64.rpm is not installed. Failing package is: thruk-3.21.20250327-13899.1.x86_64
GPG Keys are configured as: https://labs.consol.de/repo/testing/RPM-GPG-KEY
Public key for thruk-base-3.21.20250327-13899.1.rhel9.x86_64.rpm is not installed. Failing package is: thruk-base-3.21.20250327-13899.1.x86_64
GPG Keys are configured as: https://labs.consol.de/repo/testing/RPM-GPG-KEY
Public key for thruk-plugin-reporting-3.21.20250327-13899.1.rhel9.x86_64.rpm is not installed. Failing package is: thruk-plugin-reporting-3.21.20250327-13899.1.x86_64
GPG Keys are configured as: https://labs.consol.de/repo/testing/RPM-GPG-KEY
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED
[root@manage yum.repos.d]#
AFAIK the key is still using SHA-1 as a signing algorithm even though the modulus is 4096-bit RSA.
you need to update the repository itself.
rpm -Uvh "https://labs.consol.de/repo/testing/rhel9/i386/labs-consol-testing.rhel9.noarch.rpm"
The new gpgp key is here: https://labs.consol.de/repo/stable/GPG-KEY-4096 But it is referenced in the repository file already anyway. Also the new repository configuration has gpg checks enabled by default (at least for rhel9)
Let me know if you still experience issues.
Ok, I see. The new key works but I had to replace the gpgkey= url in the repo file.
[root@manage yum.repos.d]# dnf clean all
Updating Subscription Management repositories.
732 files removed
[root@manage yum.repos.d]# rpm -Uvh "https://labs.consol.de/repo/testing/rhel9/i386/labs-consol-testing.rhel9.noarch.rpm"
Retrieving https://labs.consol.de/repo/testing/rhel9/i386/labs-consol-testing.rhel9.noarch.rpm
warning: /var/tmp/rpm-tmp.4Dedog: Header V4 RSA/SHA256 Signature, key ID f1ffe778: NOKEY
Verifying... ################################# [100%]
Preparing... ################################# [100%]
Updating / installing...
1:labs-consol-testing-1.5-1 ################################# [100%]
[root@manage yum.repos.d]# cat labs-consol-testing.repo
[labs_consol_testing]
name=labs_consol_testing
baseurl=http://labs.consol.de/repo/testing/rhel9/$basearch
type=yum
enabled=1
gpgcheck=0
gpgkey=https://labs.consol.de/repo/testing/RPM-GPG-KEY
[root@manage yum.repos.d]#
gpgcheck is 0 by default gpgkey is https://labs.consol.de/repo/testing/RPM-GPG-KEY by default
[root@manage yum.repos.d]# sed -i 's/gpgcheck=0/gpgcheck=1/g' labs-consol-testing.repo
[root@manage yum.repos.d]# cat labs-consol-testing.repo
[labs_consol_testing]
name=labs_consol_testing
baseurl=http://labs.consol.de/repo/testing/rhel9/$basearch
type=yum
enabled=1
gpgcheck=1
gpgkey=https://labs.consol.de/repo/testing/RPM-GPG-KEY
[root@manage yum.repos.d]#
[root@manage yum.repos.d]# dnf clean all
Updating Subscription Management repositories.
46 files removed
[root@manage yum.repos.d]# dnf install thruk --setopt tsflags=test
Updating Subscription Management repositories.
Last metadata expiration check: 0:01:50 ago on Mon 07 Apr 2025 09:49:07 AM UTC.
Dependencies resolved.
===========================================================================================================================================================
Package Architecture Version Repository Size
===========================================================================================================================================================
Installing:
thruk x86_64 3.21.20250404-13903.1 labs_consol_testing 6.7 k
Installing dependencies:
annobin x86_64 12.65-1.el9 rhel-9-for-x86_64-appstream-rpms 1.0 M
apr x86_64 1.7.0-12.el9_3 rhel-9-for-x86_64-appstream-rpms 126 k
apr-util x86_64 1.6.1-23.el9 rhel-9-for-x86_64-appstream-rpms 97 k
apr-util-bdb x86_64 1.6.1-23.el9 rhel-9-for-x86_64-appstream-rpms 14 k
cpp x86_64 11.5.0-5.el9_5 rhel-9-for-x86_64-appstream-rpms 11 M
dwz x86_64 0.14-3.el9 rhel-9-for-x86_64-appstream-rpms 130 k
efi-srpm-macros noarch 6-2.el9_0 rhel-9-for-x86_64-appstream-rpms 24 k
fonts-srpm-macros noarch 1:2.0.5-7.el9.1 rhel-9-for-x86_64-appstream-rpms 29 k
gcc x86_64 11.5.0-5.el9_5 rhel-9-for-x86_64-appstream-rpms 32 M
gcc-c++ x86_64 11.5.0-5.el9_5 rhel-9-for-x86_64-appstream-rpms 13 M
gcc-plugin-annobin x86_64 11.5.0-5.el9_5 rhel-9-for-x86_64-appstream-rpms 42 k
gd x86_64 2.3.2-3.el9 rhel-9-for-x86_64-appstream-rpms 134 k
ghc-srpm-macros noarch 1.5.0-6.el9 rhel-9-for-x86_64-appstream-rpms 9.0 k
glibc-devel x86_64 2.34-125.el9_5.3 rhel-9-for-x86_64-appstream-rpms 31 k
glibc-headers x86_64 2.34-125.el9_5.3 rhel-9-for-x86_64-appstream-rpms 537 k
go-srpm-macros noarch 3.6.0-3.el9 rhel-9-for-x86_64-appstream-rpms 28 k
httpd x86_64 2.4.62-1.el9_5.2 rhel-9-for-x86_64-appstream-rpms 51 k
[...]
(219/223): libstdc++-devel-11.5.0-5.el9_5.x86_64.rpm 7.2 MB/s | 2.4 MB 00:00
(220/223): glibc-devel-2.34-125.el9_5.3.x86_64.rpm 142 kB/s | 31 kB 00:00
(221/223): gcc-11.5.0-5.el9_5.x86_64.rpm 19 MB/s | 32 MB 00:01
(222/223): glibc-headers-2.34-125.el9_5.3.x86_64.rpm 1.1 MB/s | 537 kB 00:00
(223/223): kernel-headers-5.14.0-503.35.1.el9_5.x86_64.rpm 8.7 MB/s | 3.8 MB 00:00
-----------------------------------------------------------------------------------------------------------------------------------------------------------
Total 8.0 MB/s | 108 MB 00:13
labs_consol_testing 6.0 kB/s | 1.0 kB 00:00
Importing GPG key 0xA57B9ED7:
Userid : "Sven Nierlein <[email protected]>"
Fingerprint: F2F9 7737 B59A CCC9 2C23 F8C7 F8C1 CA08 A57B 9ED7
From : https://labs.consol.de/repo/testing/RPM-GPG-KEY
Is this ok [y/N]: y
warning: Signature not supported. Hash algorithm SHA1 not available.
Key import failed (code 2). Failing package is: libthruk-3.20-0.x86_64
GPG Keys are configured as: https://labs.consol.de/repo/testing/RPM-GPG-KEY
Public key for thruk-3.21.20250404-13903.1.rhel9.x86_64.rpm is not installed. Failing package is: thruk-3.21.20250404-13903.1.x86_64
GPG Keys are configured as: https://labs.consol.de/repo/testing/RPM-GPG-KEY
Public key for thruk-base-3.21.20250404-13903.1.rhel9.x86_64.rpm is not installed. Failing package is: thruk-base-3.21.20250404-13903.1.x86_64
GPG Keys are configured as: https://labs.consol.de/repo/testing/RPM-GPG-KEY
Public key for thruk-plugin-reporting-3.21.20250404-13903.1.rhel9.x86_64.rpm is not installed. Failing package is: thruk-plugin-reporting-3.21.20250404-13903.1.x86_64
GPG Keys are configured as: https://labs.consol.de/repo/testing/RPM-GPG-KEY
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED
[root@manage yum.repos.d]#
[root@manage yum.repos.d]# dnf clean all
Updating Subscription Management repositories.
269 files removed
[root@manage yum.repos.d]# sed -i 's|gpgkey=https://labs.consol.de/repo/testing/RPM-GPG-KEY|gpgkey=https://labs.consol.de/repo/stable/GPG-KEY-4096|g' labs-consol-testing.repo
[root@manage yum.repos.d]# cat labs-consol-testing.repo
[labs_consol_testing]
name=labs_consol_testing
baseurl=http://labs.consol.de/repo/testing/rhel9/$basearch
type=yum
enabled=1
gpgcheck=1
gpgkey=https://labs.consol.de/repo/stable/GPG-KEY-4096
[root@manage yum.repos.d]#
[root@manage yum.repos.d]# dnf install thruk --setopt tsflags=test
Updating Subscription Management repositories.
Extra Packages for Enterprise Linux 9 - x86_64 9.2 MB/s | 23 MB 00:02
Extra Packages for Enterprise Linux 9 openh264 (From Cisco) - x86_64 1.8 kB/s | 2.5 kB 00:01
grafana 35 MB/s | 172 MB 00:04
labs_consol_testing 1.1 MB/s | 734 kB 00:00
Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs) 19 MB/s | 51 MB 00:02
Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs) 17 MB/s | 53 MB 00:03
Dependencies resolved.
=================================================================================================================================================================================================
Package Architecture Version Repository Size
=================================================================================================================================================================================================
Installing:
thruk x86_64 3.21.20250404-13903.1 labs_consol_testing 6.7 k
Installing dependencies:
annobin x86_64 12.65-1.el9 rhel-9-for-x86_64-appstream-rpms 1.0 M
apr x86_64 1.7.0-12.el9_3 rhel-9-for-x86_64-appstream-rpms 126 k
apr-util x86_64 1.6.1-23.el9 rhel-9-for-x86_64-appstream-rpms 97 k
apr-util-bdb x86_64 1.6.1-23.el9 rhel-9-for-x86_64-appstream-rpms 14 k
cpp x86_64 11.5.0-5.el9_5 rhel-9-for-x86_64-appstream-rpms 11 M
dwz x86_64 0.14-3.el9 rhel-9-for-x86_64-appstream-rpms 130 k
efi-srpm-macros noarch 6-2.el9_0 rhel-9-for-x86_64-appstream-rpms 24 k
fonts-srpm-macros noarch 1:2.0.5-7.el9.1 rhel-9-for-x86_64-appstream-rpms 29 k
gcc x86_64 11.5.0-5.el9_5 rhel-9-for-x86_64-appstream-rpms 32 M
gcc-c++ x86_64 11.5.0-5.el9_5 rhel-9-for-x86_64-appstream-rpms 13 M
gcc-plugin-annobin x86_64 11.5.0-5.el9_5 rhel-9-for-x86_64-appstream-rpms 42 k
gd x86_64 2.3.2-3.el9 rhel-9-for-x86_64-appstream-rpms 134 k
ghc-srpm-macros noarch 1.5.0-6.el9 rhel-9-for-x86_64-appstream-rpms 9.0 k
glibc-devel x86_64 2.34-125.el9_5.3 rhel-9-for-x86_64-appstream-rpms 31 k
[...]
(218/223): gcc-plugin-annobin-11.5.0-5.el9_5.x86_64.rpm 101 kB/s | 42 kB 00:00
(219/223): gcc-11.5.0-5.el9_5.x86_64.rpm 25 MB/s | 32 MB 00:01
(220/223): glibc-devel-2.34-125.el9_5.3.x86_64.rpm 73 kB/s | 31 kB 00:00
(221/223): libstdc++-devel-11.5.0-5.el9_5.x86_64.rpm 5.2 MB/s | 2.4 MB 00:00
(222/223): glibc-headers-2.34-125.el9_5.3.x86_64.rpm 2.5 MB/s | 537 kB 00:00
(223/223): kernel-headers-5.14.0-503.35.1.el9_5.x86_64.rpm 10 MB/s | 3.8 MB 00:00
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 5.6 MB/s | 128 MB 00:22
labs_consol_testing 9.6 kB/s | 1.6 kB 00:00
Importing GPG key 0xF1FFE778:
Userid : "Sven Nierlein <[email protected]>"
Fingerprint: 99A9 5F41 635E A25E C78C 879E F0CA 212F F1FF E778
From : https://labs.consol.de/repo/stable/GPG-KEY-4096
Is this ok [y/N]: y
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Complete!
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
[root@manage yum.repos.d]#
Replacing GPG-KEY with GPG-KEY-4096 in the gpgkey= works.
I updated the repository once again, now it should be fine
#>rpm -Uvh "https://labs.consol.de/repo/testing/rhel9/i386/labs-consol-testing.rhel9.noarch.rpm"
Retrieving https://labs.consol.de/repo/testing/rhel9/i386/labs-consol-testing.rhel9.noarch.rpm
warning: /var/tmp/rpm-tmp.oeirdV: Header V4 RSA/SHA256 Signature, key ID f1ffe778: NOKEY
Verifying... ################################# [100%]
Preparing... ################################# [100%]
Updating / installing...
1:labs-consol-testing-1.5-2 ################################# [100%]
#>cat /etc/yum.repos.d/labs-consol-testing.repo
[labs_consol_testing]
name=labs_consol_testing
baseurl=http://labs.consol.de/repo/testing/rhel9/$basearch
type=yum
enabled=1
gpgcheck=1
gpgkey=https://labs.consol.de/repo/testing/GPG-KEY-4096
#>yum install thruk
...
Importing GPG key 0xF1FFE778:
Userid : "Sven Nierlein <[email protected]>"
Fingerprint: 99A9 5F41 635E A25E C78C 879E F0CA 212F F1FF E778
From : https://labs.consol.de/repo/testing/GPG-KEY-4096
Is this ok [y/N]: y
Key imported successfully
...
Complete!