Home / server / Questions / 1160805
Accepted
Vinícius Ferrão
Asked: 2024-06-12 03:40:46 +0800 CST

RHEL8 upgrade to RHEL9 with Leapp: warning: Signature not supported. Hash algorithm SHA1 not available

  • 772

After upgrading some servers from RHEL8 to RHEL9 using the Leapp utility there's some warnings after the upgrade in dnf and rpm: warning: Signature not supported. Hash algorithm SHA1 not available.

Every time that I ran any of those commands I got this warnings:

[root@web ~]# rpm -q kernel
warning: Signature not supported. Hash algorithm SHA1 not available.
warning: Signature not supported. Hash algorithm SHA1 not available.
kernel-5.14.0-362.18.1.el9_3.x86_64
kernel-5.14.0-427.18.1.el9_4.x86_64
kernel-5.14.0-427.20.1.el9_4.x86_64

[root@web ~]# dnf repolist
warning: Signature not supported. Hash algorithm SHA1 not available.
warning: Signature not supported. Hash algorithm SHA1 not available.
Updating Subscription Management repositories.
repo id                          repo name
rhel-9-for-x86_64-appstream-rpms Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs)
rhel-9-for-x86_64-baseos-rpms    Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs)

I don't know from which package or what trigger this issue. The majority of the solution available on the web involves reenabling SHA1, which is not effectively a solution.

Also all the packages are tagged with el9 except for some gpg-pubkey packages, so I think there's nothing from RHEL9 around.

[root@web ~]# rpm -qa | grep -v el9
warning: Signature not supported. Hash algorithm SHA1 not available.
warning: Signature not supported. Hash algorithm SHA1 not available.
gpg-pubkey-fd431d51-4ae0493b
gpg-pubkey-a14fe591-578876fd
gpg-pubkey-d4082792-5b32db75

How can I trace the real issue to get rid of this warnings?

redhat

2 Answers

  1. Query all packages for their signature. Anyone can add on an "el9" to release string, not just RHEL.

    rpm -qa --qf '%{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n' | grep SHA1

    Old SHA1 are probably from third party repos. RHEL and Fedora have been using SHA256 or better for a while.

    With any findings, be sure the packager is aware and working on RHEL 9 compatible signatures.

    Remove any unneeded packages. Work around necessary packages with weak signatures by signing yourself. Download, verify, rpmsign --resign, add to a local repo. And of course this repo should verify with gpgcheck=1 and gpgkey. Only requires a host or two with legacy crypto policies, rather than all hosts.

    dnf install --setopt=tsflags=nocrypto is a poor workaround, because you need to provide it every time or rpm will error. And no signature checks is worse than obsolete signature checks.

    • 0
  2. Best Answer

    Alright, at least on all my servers that solved the issue:

    rpm -e `rpm -qa | grep gpg-pubkey | xargs`

    This command will forcefully remove all gpg-pubkey packages. And this seems to be OK, because if the keys are missing it will be reimported again on next dnf. I've tested on 20+ servers that were upgraded from RHEL8 using leapp.

    • 0