#1120 extras-common repomd.xml.asc is signed with SHA-1 which is rejected on stream 9
Closed: Fixed 2 years ago by maha. Opened 2 years ago by maha.

Currently fetching repodata for extras-common fails if you have repogpg enabled, since the repomd.xml is signed with a SHA-1 digest, which is rejected on EL9:

# dnf -d 9 update --disablerepo '*' --enablerepo extras-common
timer: config: 2 ms
Loaded plugins: builddep, changelog, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, groups-manager, needs-restarting, playground, post-transaction-actions, repoclosure, repodiff, repograph, repomanage, reposync, system-upgrade
DNF version: 4.14.0
Command: dnf -d 9 update --disablerepo * --enablerepo extras-common
Installroot: /
Releasever: 9
cachedir: /var/cache/dnf
Base command: update
Extra commands: ['-d', '9', 'update', '--disablerepo', '*', '--enablerepo', 'extras-common']
User-Agent: constructed: 'libdnf (CentOS Stream 9; generic; Linux.x86_64)'
repo: downloading from remote: extras-common
CentOS-9 - Extras packages                                                                                                                                                           1.0 kB/s | 490  B     00:00
CentOS-9 - Extras packages                                                                                                                                                           2.1 MB/s | 2.1 kB     00:00
repo extras-common: 0x1FF6A2171D997668 already imported
CentOS-9 - Extras packages                                                                                                                                                           3.0 kB/s | 490  B     00:00
Cleaning up.
Plugins were unloaded.

Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/dnf/repo.py", line 574, in load
    ret = self._repo.load()
  File "/usr/lib64/python3.9/site-packages/libdnf/repo.py", line 331, in load
    return _repo.Repo_load(self)
libdnf._error.Error: Failed to download metadata for repo 'extras-common': repomd.xml GPG signature verification error: Bad GPG signature

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/dnf/cli/main.py", line 67, in main
    return _main(base, args, cli_class, option_parser_class)
  File "/usr/lib/python3.9/site-packages/dnf/cli/main.py", line 106, in _main
    return cli_run(cli, base)
  File "/usr/lib/python3.9/site-packages/dnf/cli/main.py", line 122, in cli_run
    cli.run()
  File "/usr/lib/python3.9/site-packages/dnf/cli/cli.py", line 1040, in run
    self._process_demands()
  File "/usr/lib/python3.9/site-packages/dnf/cli/cli.py", line 741, in _process_demands
    self.base.fill_sack(
  File "/usr/lib/python3.9/site-packages/dnf/base.py", line 406, in fill_sack
    self._add_repo_to_sack(r)
  File "/usr/lib/python3.9/site-packages/dnf/base.py", line 141, in _add_repo_to_sack
    repo.load()
  File "/usr/lib/python3.9/site-packages/dnf/repo.py", line 581, in load
    raise dnf.exceptions.RepoError(str(e))
dnf.exceptions.RepoError: Failed to download metadata for repo 'extras-common': repomd.xml GPG signature verification error: Bad GPG signature
Error: Failed to download metadata for repo 'extras-common': repomd.xml GPG signature verification error: Bad GPG signature`


# curl -s "https://mirrors.centos.org/metalink?repo=centos-extras-sig-extras-common-9-stream&arch=x86_64&protocol=https" | grep '<url ' | head -n 1 | sed -e 's/.*">//' -e 's/<\/url.*//'
https://mirror.xenyth.net/centos-stream/SIGs/9-stream/extras/x86_64/extras-common/repodata/repomd.xml

# curl https://mirror.xenyth.net/centos-stream/SIGs/9-stream/extras/x86_64/extras-common/repodata/repomd.xml.asc -o repomd.xml.asc
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   490  100   490    0     0   7101      0 --:--:-- --:--:-- --:--:--  7205
# curl https://mirror.xenyth.net/centos-stream/SIGs/9-stream/extras/x86_64/extras-common/repodata/repomd.xml -o repomd.xml
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3080  100  3080    0     0  43380      0 --:--:-- --:--:-- --:--:-- 44000

# gpg --homedir /var/cache/dnf/extras-common-a0a3f00c3ad1eea0/pubring/ --verify repomd.xml.asc
gpg: WARNING: unsafe permissions on homedir '/var/cache/dnf/extras-common-a0a3f00c3ad1eea0/pubring'
gpg: assuming signed data in 'repomd.xml'
gpg: Signature made Thu 06 Apr 2023 08:25:58 PM UTC
gpg:                using RSA key 1FF6A2171D997668
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: Can't check signature: Invalid digest algorithm

 curl -s https://mirror.xenyth.net/centos-stream/SIGs/9-stream/extras/x86_64/extras-common/repodata/repomd.xml.asc | gpg --list-packets
# off=0 ctb=89 tag=2 hlen=3 plen=284
:signature packet: algo 1, keyid 1FF6A2171D997668
    version 4, created 1680812758, md5len 0, sigclass 0x00
    digest algo 2, begin of digest 4d f9
    hashed subpkt 2 len 4 (sig created 2023-04-06)
    subpkt 16 len 8 (issuer key ID 1FF6A2171D997668)
    data: [2047 bits]

digest algo 2 == sha-1 according to https://www.rfc-editor.org/rfc/rfc4880#section-9.4

this blocks updating metadata


Thanks for the report
A recent gnupg2 upgrade indeed deprecated SHA-1 (see https://gitlab.com/redhat/centos-stream/rpms/gnupg2/-/commit/82c38c29114f0bdb64b7d9f8c0d89afffc7b560d)
As it was also preventing importing the centos distro key itself, it was reverted so if you downgraded to previous gnupg2, it should work.
But it's still a workaround and we should implement signing with better algo, reason why we bumped that to sha-256 some time ago (and rpm packages are signed with it)
It seems detached sig was forgotten but I just implemented it :

gpg --list-packets repomd.xml.asc 
:signature packet: algo 1, keyid 1FF6A2171D997668
    version 4, created 1680863312, md5len 0, sigclass 0x00
    digest algo 8, begin of digest 3a 87
    hashed subpkt 2 len 4 (sig created 2023-04-07)
    subpkt 16 len 8 (issuer key ID 1FF6A2171D997668)
    data: [2047 bits]

It should go live on the mirror network in the next minutes ...
Will you be able to confirm that it works and then close ticket ?

Metadata Update from @arrfab:
- Issue assigned to arrfab

2 years ago

Metadata Update from @arrfab:
- Issue tagged with: cbs, centos-stream, high-gain, medium-trouble

2 years ago

Thank you - I can confirm the metadata can be verified again.

Metadata Update from @maha:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Log in to comment on this ticket.

Metadata