RPM signing key is invalid on newer operating systems

twilson · March 10, 2023, 9:43pm

The signing key used for RPM packages (and I assume other package types) is no longer valid on newer operating systems since the key is SHA1 and these newer operating systems have deprecated SHA1.

Specifically, I'm trying to install elasticsearch 8.6.1 on a RHEL 9 system and get this when using your directions to import the signing key

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
warning: Signature not supported. Hash algorithm SHA1 not available.

There have been numerous topics opened regarding this issue in the forums, and none of them have ever received a public reply and have been closed due to age. I'd rather not have to bypass the gpg check in dnf, and I really don't want to enable SHA1 system-wide. Please create a new/additional key with SHA256/512 so the packages can again be managed with a package manager.

William_Brafford · March 20, 2023, 7:04pm

I believe there is a Github issue for this: rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch not working on centOS stream. gives a key import error. · Issue #85876 · elastic/elasticsearch · GitHub

We do intend to create a new signing key, but we don't know when it will happen. But when there is progress you will be more likely to see it on that github issue than here.

system · April 17, 2023, 7:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.