RPM signing key is invalid on newer operating systems

twilson · March 10, 2023, 9:43pm

The signing key used for RPM packages (and I assume other package types) is no longer valid on newer operating systems since the key is SHA1 and these newer operating systems have deprecated SHA1.

Specifically, I'm trying to install elasticsearch 8.6.1 on a RHEL 9 system and get this when using your directions to import the signing key

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
warning: Signature not supported. Hash algorithm SHA1 not available.

There have been numerous topics opened regarding this issue in the forums, and none of them have ever received a public reply and have been closed due to age. I'd rather not have to bypass the gpg check in dnf, and I really don't want to enable SHA1 system-wide. Please create a new/additional key with SHA256/512 so the packages can again be managed with a package manager.

William_Brafford · March 20, 2023, 7:04pm

I believe there is a Github issue for this: rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch not working on centOS stream. gives a key import error. · Issue #85876 · elastic/elasticsearch · GitHub

We do intend to create a new signing key, but we don't know when it will happen. But when there is progress you will be more likely to see it on that github issue than here.

system · April 17, 2023, 7:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticsearch Installation: gpg: no valid OpenPGP Elasticsearch	6	7436	June 26, 2018
Issues with the RPM repository provided in the HowTo Elastic Search	2	108	July 30, 2024
Failed to install filebeat RPM on EL5 Linux machine Beats filebeat	10	5401	March 29, 2017
Elasticsearch Upgrade issue Elasticsearch	2	199	January 11, 2024
PGP keys fails to install no valid openPGP data found Elasticsearch	4	17707	July 5, 2017

RPM signing key is invalid on newer operating systems

Related Topics