computergeek125 opened a new issue, #10133:
URL: https://github.com/apache/cloudstack/issues/10133
<!--
Verify first that your issue/request is not already reported on GitHub.
Also test if the latest release and main branch are affected too.
Always add information AFTER of these HTML comments, but no need to delete
the comments.
-->
##### ISSUE TYPE
<!-- Pick one below and delete the rest -->
* Bug Report
##### COMPONENT NAME
<!--
Categorize the issue, e.g. API, VR, VPN, UI, etc.
-->
~~~
Packaging
~~~
##### CLOUDSTACK VERSION
<!--
New line separated list of affected versions, commit ID for issues on main
branch.
-->
~~~
4.20
~~~
##### CONFIGURATION
<!--
Information about the configuration if relevant, e.g. basic network,
advanced networking, etc. N/A otherwise
-->
N/A
##### OS / ENVIRONMENT
<!--
Information about the environment if relevant, N/A otherwise
-->
AlmaLinux 9.5
```
$ cat /etc/os-release
NAME="AlmaLinux"
VERSION="9.5 (Teal Serval)"
ID="almalinux"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.5"
PLATFORM_ID="platform:el9"
PRETTY_NAME="AlmaLinux 9.5 (Teal Serval)"
ANSI_COLOR="0;34"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:almalinux:almalinux:9::baseos"
HOME_URL="https://almalinux.org/";
DOCUMENTATION_URL="https://wiki.almalinux.org/";
BUG_REPORT_URL="https://bugs.almalinux.org/";
ALMALINUX_MANTISBT_PROJECT="AlmaLinux-9"
ALMALINUX_MANTISBT_PROJECT_VERSION="9.5"
REDHAT_SUPPORT_PRODUCT="AlmaLinux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.5"
SUPPORT_END=2032-06-01
```
##### SUMMARY
<!-- Explain the problem/feature briefly -->
When installing from the community repo with GPG checking enabled, `dnf`
fails and reports that the Cloudstack package is using a SHA-1 checksum.
##### STEPS TO REPRODUCE
<!--
For bugs, show exactly how to reproduce the problem, using a minimal
test-case. Use Screenshots if accurate.
For new features, show how the feature would be used.
-->
1. Install AlmaLinux 9
2. Add Cloudstack repo, enable GPG checking
3. `sudo dnf install cloudstack-management` fails - see below
I recognize that this is a community repo and not necessarily directly
supported by the project. I'm new here, and I wasn't sure where else to send
this report. The repos are listed on the official website and installation
guide, so I figured this may be a reasonable place to start.
This failure is in line with Red Hat's upstream deprecation of the SHA-1
package hash:
https://www.redhat.com/en/blog/rhel-security-sha-1-package-signatures-distrusted-rhel-9.
Following the pattern of other repos, I inferred that the presence of a GPG
key meant that GPG signatures were available and supported.
<!-- Paste example playbooks or commands between quotes below -->
<!-- You can also paste gist.github.com links for larger files -->
##### EXPECTED RESULTS
<!-- What did you expect to happen when running the steps above? -->
Installing Cloudstack via DNF does not yield a deprecated checksum
##### ACTUAL RESULTS
<!-- What actually happened? -->
<!-- Paste verbatim command output between quotes below -->
`/etc/yum.repos.d/cloudstack.repo`:
~~~
[cloudstack]
name=CloudStack EL$releasever
baseurl=http://download.cloudstack.org/el/$releasever/4.20
enabled=1
gpgcheck=1
gpgkey=https://download.cloudstack.org/RPM-GPG-KEY
countme=1
metadata_expire=86400
enabled_metadata=1
~~~
Installation attempt:
~~~
[user@srv-koana ~]$ sudo dnf install cloudstack-management
....
Dependencies resolved.
====================================================================================================================================================================================================================
Package
Architecture Version
Repository Size
====================================================================================================================================================================================================================
Installing:
cloudstack-management x86_64
4.20.0.0-1
cloudstack 1.6 G
Installing dependencies:
....
[SKIPPED] cloudstack-management-4.20.0.0-1.x86_64.rpm: Already downloaded
CloudStack EL9
10 kB/s | 1.7 kB 00:00
Importing GPG key 0x584DF93F:
Userid : "Rohit Yadav (ShapeBlue Repo) <[email protected]>"
Fingerprint: 7203 0CA1 18C1 A275 68B1 37C4 BDF0 E176 584D F93F
From : https://download.cloudstack.org/RPM-GPG-KEY
Is this ok [y/N]: y
warning: Signature not supported. Hash algorithm SHA1 not available.
Key import failed (code 2). Failing package is:
cloudstack-common-4.20.0.0-1.x86_64
GPG Keys are configured as: https://download.cloudstack.org/RPM-GPG-KEY
Public key for cloudstack-management-4.20.0.0-1.x86_64.rpm is not installed.
Failing package is: cloudstack-management-4.20.0.0-1.x86_64
GPG Keys are configured as: https://download.cloudstack.org/RPM-GPG-KEY
The downloaded packages were saved in cache until the next successful
transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED
[user@srv-koana ~]$
~~~
##### WORKAROUND RESULTS
<!-- What actually happened? -->
Setting `gpgcheck=0` or `sudo update-crypto-policies --set DEFAULT:SHA1`
bypasses the security protocol and allows installation.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
