Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cloudstack v4.20 RPM installation fails on AlmaLinux9 when GPG verification is enabled due to SHA-1 deprecation #10133

Open
computergeek125 opened this issue Dec 21, 2024 · 1 comment
Open

Cloudstack v4.20 RPM installation fails on AlmaLinux9 when GPG verification is enabled due to SHA-1 deprecation #10133

computergeek125 opened this issue Dec 21, 2024 · 1 comment
Labels
component:packaging
Milestone
4.20.1

Comments

@computergeek125
Copy link

ISSUE TYPE
  • Bug Report
COMPONENT NAME
Packaging
CLOUDSTACK VERSION
4.20
CONFIGURATION

N/A

OS / ENVIRONMENT

AlmaLinux 9.5

$ cat /etc/os-release 
NAME="AlmaLinux"
VERSION="9.5 (Teal Serval)"
ID="almalinux"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.5"
PLATFORM_ID="platform:el9"
PRETTY_NAME="AlmaLinux 9.5 (Teal Serval)"
ANSI_COLOR="0;34"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:almalinux:almalinux:9::baseos"
HOME_URL="https://almalinux.org/"
DOCUMENTATION_URL="https://wiki.almalinux.org/"
BUG_REPORT_URL="https://bugs.almalinux.org/"

ALMALINUX_MANTISBT_PROJECT="AlmaLinux-9"
ALMALINUX_MANTISBT_PROJECT_VERSION="9.5"
REDHAT_SUPPORT_PRODUCT="AlmaLinux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.5"
SUPPORT_END=2032-06-01
SUMMARY

When installing from the community repo with GPG checking enabled, dnf fails and reports that the Cloudstack package is using a SHA-1 checksum.

STEPS TO REPRODUCE
  1. Install AlmaLinux 9
  2. Add Cloudstack repo, enable GPG checking
  3. sudo dnf install cloudstack-management fails - see below

I recognize that this is a community repo and not necessarily directly supported by the project. I'm new here, and I wasn't sure where else to send this report. The repos are listed on the official website and installation guide, so I figured this may be a reasonable place to start.

This failure is in line with Red Hat's upstream deprecation of the SHA-1 package hash: https://www.redhat.com/en/blog/rhel-security-sha-1-package-signatures-distrusted-rhel-9. Following the pattern of other repos, I inferred that the presence of a GPG key meant that GPG signatures were available and supported.

EXPECTED RESULTS

Installing Cloudstack via DNF does not yield a deprecated checksum

ACTUAL RESULTS

/etc/yum.repos.d/cloudstack.repo:

[cloudstack]
name=CloudStack EL$releasever
baseurl=http://download.cloudstack.org/el/$releasever/4.20
enabled=1
gpgcheck=1
gpgkey=https://download.cloudstack.org/RPM-GPG-KEY
countme=1
metadata_expire=86400
enabled_metadata=1

Installation attempt:

[user@srv-koana ~]$ sudo dnf install cloudstack-management
....
Dependencies resolved.
====================================================================================================================================================================================================================
 Package                                                             Architecture                       Version                                                        Repository                              Size
====================================================================================================================================================================================================================
Installing:
 cloudstack-management                                               x86_64                             4.20.0.0-1                                                     cloudstack                             1.6 G
Installing dependencies:
....
[SKIPPED] cloudstack-management-4.20.0.0-1.x86_64.rpm: Already downloaded                                                                                                                                          
CloudStack EL9                                                                                                                                                                       10 kB/s | 1.7 kB     00:00    
Importing GPG key 0x584DF93F:
 Userid     : "Rohit Yadav (ShapeBlue Repo) <[email protected]>"
 Fingerprint: 7203 0CA1 18C1 A275 68B1 37C4 BDF0 E176 584D F93F
 From       : https://download.cloudstack.org/RPM-GPG-KEY
Is this ok [y/N]: y
warning: Signature not supported. Hash algorithm SHA1 not available.
Key import failed (code 2). Failing package is: cloudstack-common-4.20.0.0-1.x86_64
 GPG Keys are configured as: https://download.cloudstack.org/RPM-GPG-KEY
Public key for cloudstack-management-4.20.0.0-1.x86_64.rpm is not installed. Failing package is: cloudstack-management-4.20.0.0-1.x86_64
 GPG Keys are configured as: https://download.cloudstack.org/RPM-GPG-KEY
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED
[user@srv-koana ~]$
WORKAROUND RESULTS

Setting gpgcheck=0 or sudo update-crypto-policies --set DEFAULT:SHA1 bypasses the security protocol and allows installation.
@boring-cyborg boring-cyborg
Copy link

boring-cyborg bot commented Dec 21, 2024

Thanks for opening your first issue here! Be sure to follow the issue template!

@DaanHoogland DaanHoogland added this to the 4.20.1 milestone Dec 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component:packaging
Projects
None yet
Milestone
4.20.1
Development

No branches or pull requests
2 participants
@DaanHoogland @computergeek125