Currently fetching repodata for extras-common fails if you have repogpg enabled, since the repomd.xml is signed with a SHA-1 digest, which is rejected on EL9:
# dnf -d 9 update --disablerepo '*' --enablerepo extras-common timer: config: 2 ms Loaded plugins: builddep, changelog, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, groups-manager, needs-restarting, playground, post-transaction-actions, repoclosure, repodiff, repograph, repomanage, reposync, system-upgrade DNF version: 4.14.0 Command: dnf -d 9 update --disablerepo * --enablerepo extras-common Installroot: / Releasever: 9 cachedir: /var/cache/dnf Base command: update Extra commands: ['-d', '9', 'update', '--disablerepo', '*', '--enablerepo', 'extras-common'] User-Agent: constructed: 'libdnf (CentOS Stream 9; generic; Linux.x86_64)' repo: downloading from remote: extras-common CentOS-9 - Extras packages 1.0 kB/s | 490 B 00:00 CentOS-9 - Extras packages 2.1 MB/s | 2.1 kB 00:00 repo extras-common: 0x1FF6A2171D997668 already imported CentOS-9 - Extras packages 3.0 kB/s | 490 B 00:00 Cleaning up. Plugins were unloaded. Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/dnf/repo.py", line 574, in load ret = self._repo.load() File "/usr/lib64/python3.9/site-packages/libdnf/repo.py", line 331, in load return _repo.Repo_load(self) libdnf._error.Error: Failed to download metadata for repo 'extras-common': repomd.xml GPG signature verification error: Bad GPG signature During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/dnf/cli/main.py", line 67, in main return _main(base, args, cli_class, option_parser_class) File "/usr/lib/python3.9/site-packages/dnf/cli/main.py", line 106, in _main return cli_run(cli, base) File "/usr/lib/python3.9/site-packages/dnf/cli/main.py", line 122, in cli_run cli.run() File "/usr/lib/python3.9/site-packages/dnf/cli/cli.py", line 1040, in run self._process_demands() File "/usr/lib/python3.9/site-packages/dnf/cli/cli.py", line 741, in _process_demands self.base.fill_sack( File "/usr/lib/python3.9/site-packages/dnf/base.py", line 406, in fill_sack self._add_repo_to_sack(r) File "/usr/lib/python3.9/site-packages/dnf/base.py", line 141, in _add_repo_to_sack repo.load() File "/usr/lib/python3.9/site-packages/dnf/repo.py", line 581, in load raise dnf.exceptions.RepoError(str(e)) dnf.exceptions.RepoError: Failed to download metadata for repo 'extras-common': repomd.xml GPG signature verification error: Bad GPG signature Error: Failed to download metadata for repo 'extras-common': repomd.xml GPG signature verification error: Bad GPG signature` # curl -s "https://mirrors.centos.org/metalink?repo=centos-extras-sig-extras-common-9-stream&arch=x86_64&protocol=https" | grep '<url ' | head -n 1 | sed -e 's/.*">//' -e 's/<\/url.*//' https://mirror.xenyth.net/centos-stream/SIGs/9-stream/extras/x86_64/extras-common/repodata/repomd.xml # curl https://mirror.xenyth.net/centos-stream/SIGs/9-stream/extras/x86_64/extras-common/repodata/repomd.xml.asc -o repomd.xml.asc % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 490 100 490 0 0 7101 0 --:--:-- --:--:-- --:--:-- 7205 # curl https://mirror.xenyth.net/centos-stream/SIGs/9-stream/extras/x86_64/extras-common/repodata/repomd.xml -o repomd.xml % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 3080 100 3080 0 0 43380 0 --:--:-- --:--:-- --:--:-- 44000 # gpg --homedir /var/cache/dnf/extras-common-a0a3f00c3ad1eea0/pubring/ --verify repomd.xml.asc gpg: WARNING: unsafe permissions on homedir '/var/cache/dnf/extras-common-a0a3f00c3ad1eea0/pubring' gpg: assuming signed data in 'repomd.xml' gpg: Signature made Thu 06 Apr 2023 08:25:58 PM UTC gpg: using RSA key 1FF6A2171D997668 gpg: Note: signatures using the SHA1 algorithm are rejected gpg: Can't check signature: Invalid digest algorithm curl -s https://mirror.xenyth.net/centos-stream/SIGs/9-stream/extras/x86_64/extras-common/repodata/repomd.xml.asc | gpg --list-packets # off=0 ctb=89 tag=2 hlen=3 plen=284 :signature packet: algo 1, keyid 1FF6A2171D997668 version 4, created 1680812758, md5len 0, sigclass 0x00 digest algo 2, begin of digest 4d f9 hashed subpkt 2 len 4 (sig created 2023-04-06) subpkt 16 len 8 (issuer key ID 1FF6A2171D997668) data: [2047 bits]
digest algo 2 == sha-1 according to https://www.rfc-editor.org/rfc/rfc4880#section-9.4
this blocks updating metadata
Thanks for the report A recent gnupg2 upgrade indeed deprecated SHA-1 (see https://gitlab.com/redhat/centos-stream/rpms/gnupg2/-/commit/82c38c29114f0bdb64b7d9f8c0d89afffc7b560d) As it was also preventing importing the centos distro key itself, it was reverted so if you downgraded to previous gnupg2, it should work. But it's still a workaround and we should implement signing with better algo, reason why we bumped that to sha-256 some time ago (and rpm packages are signed with it) It seems detached sig was forgotten but I just implemented it :
gpg --list-packets repomd.xml.asc :signature packet: algo 1, keyid 1FF6A2171D997668 version 4, created 1680863312, md5len 0, sigclass 0x00 digest algo 8, begin of digest 3a 87 hashed subpkt 2 len 4 (sig created 2023-04-07) subpkt 16 len 8 (issuer key ID 1FF6A2171D997668) data: [2047 bits]
It should go live on the mirror network in the next minutes ... Will you be able to confirm that it works and then close ticket ?
Metadata Update from @arrfab: - Issue assigned to arrfab
Metadata Update from @arrfab: - Issue tagged with: cbs, centos-stream, high-gain, medium-trouble
Thank you - I can confirm the metadata can be verified again.
Metadata Update from @maha: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.