Signature support failure on RHEL9

[cmcfadden]

The changes merged in b525bfe seem to have broken this package on RHEL9. During the "Import Nodesource RPM Key" stage, it throws a warning: Signature not supported. Hash algorithm SHA1 not available.. It looks like Nodesource might be using https://rpm.nodesource.com/gpgkey/ns-operations-public.key now?

[pixelrebel]

Same here, this fails on Rocky9

[Dialgatrainer02]

i also have this issue on almalinux 9

[ianabc]

Changing that key in tasks/setup-RedHat.yml does indeed fix the rpm_key task, but then the next task (installing the repo RPM) fails with e.g.

Failed to validate GPG signature for nodesource-release-nodistro-1.noarch: Public key for nodesource-release-nodistro-1.noarchde3kruo1.rpm is not installed

Oddly, just running yum install https://rpm.nodesource.com/pub_16.x/nodistro/repo/nodesource-release-nodistro-1.noarch.rpm will work without any signature complaints.

[ianabc]

Actually, it looks like their RPM signing is messed up. The RPM mentioned above has this signature

$ rpm -qip --nosignature nodesource-release-nodistro-1.noarch.rpm |  grep Signature
Signature   : RSA/SHA512, Wed Aug 16 20:40:47 2023, Key ID 2f59b5f99b1be0b4

But that key uses SHA1 which won't work on RHEL9 by default

$ gpg --recv-keys 2f59b5f99b1be0b4
$ gpg --armor --export  2f59b5f99b1be0b4 > node.gpg
$ sudo rpm --import node.gpg 
warning: Signature not supported. Hash algorithm SHA1 not available.
error: node.gpg: key 1 import failed.

[github-actions]

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.