Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sHKh1-0069jE-Uo
	for pgsql-general@arkaria.postgresql.org; Wed, 12 Jun 2024 09:55:00 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sHKh0-00FhMr-FQ
	for pgsql-general@arkaria.postgresql.org; Wed, 12 Jun 2024 09:54:59 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <hans.schou@gmail.com>)
	id 1sHKgz-00FhMX-Va
	for pgsql-general@lists.postgresql.org; Wed, 12 Jun 2024 09:54:58 +0000
Received: from mail-pj1-x102b.google.com ([2607:f8b0:4864:20::102b])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <hans.schou@gmail.com>)
	id 1sHKgx-000vzH-V5
	for pgsql-general@postgresql.org; Wed, 12 Jun 2024 09:54:57 +0000
Received: by mail-pj1-x102b.google.com with SMTP id 98e67ed59e1d1-2c2c74d9be0so1756714a91.1
        for <pgsql-general@postgresql.org>; Wed, 12 Jun 2024 02:54:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1718186095; x=1718790895; darn=postgresql.org;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=NxQ0/CRtAsAsHPjphvnY/yVSwQstEV8hN8FrGq38ZtU=;
        b=UKjnsrAkWYh/4Bv6S15W5OltiKQV+em94ek8AkyKiz23VtUy9Jcoh++Z0T41FhAhxH
         a3qsLRZMfh7S6bknzNsvgsOhCcRhbKoR+qQzOZS6Emzjd3T28D+AY7PoXVdL/P5fjtbm
         0dfy8D83kwny95oNIJ0Ucge6evGB4i2COaj+YFePH2iabrEpIpTG7BKmaeqHU7dZOgo9
         q3NCEHaZfKzlbrE8F72lHHgG2EUZPxXL+vfWSPbBzcUKxRsAC4i/U9QwiZIt5QZ9zSBF
         MUowmAyB2DXo4vfWF0xiiUVpNHCdd/JjFD4mk2JFT0X0Th7qbxwqX4R726FFyukn8VQt
         c//Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1718186095; x=1718790895;
        h=to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=NxQ0/CRtAsAsHPjphvnY/yVSwQstEV8hN8FrGq38ZtU=;
        b=JSjkqAM8S8iqwHkFFbowJmUI1tNAtGSJXowrHkPupmU+b1PRMV/GeeOgOCI6VCqjYd
         hp3quwFAO23ge0xDxfkA2sOKcB5tfTu0qtPzE7iPcEk2vbSnK2iLmtjUea18jQD+o5rv
         JONcM1wk/nHjmfbmn2eXe1MERf/qU622pYw8w4HKECqZMjI+b2VPpVqNgxjl5x6ECnQS
         jHxzWHub4wBwS0rhHjM3YqfPuMelfhJDCVGJOEleTq2rjY/+5FW/FYRVyJ8rMkMc1TMX
         N1aceSo1QZNJKjxeE2JFL3EZDGrT2daRHoGFNBBYYFGh/BLoJozizHKfRc3gnSs4OtuL
         6hrQ==
X-Gm-Message-State: AOJu0YzdLGMDqDmesSy00UrHUHD5fuguXciT2fGOws8eP99/aYfN5tqn
	eEYpxoIaJRQyDe1FbAKB1eKXddYTN3oWQa4DzDTpfActAa243RfAGpH2OF77tFhq+EHjOgNNpCm
	GzTi2ENG5lAata5E55uXcmijYkCOMSUrm
X-Google-Smtp-Source: AGHT+IEZtCFPSrdvA5JsaHWKqW3tVFKrkV8DYR/g0+dWo/fzxC6M4BkFcKsePvd8L8lgZJst3XCr++f+02iZWCfFDwo=
X-Received: by 2002:a17:90a:f17:b0:2c4:ab61:372e with SMTP id
 98e67ed59e1d1-2c4ab613819mr943019a91.34.1718186094652; Wed, 12 Jun 2024
 02:54:54 -0700 (PDT)
MIME-Version: 1.0
From: Hans Schou <hans.schou@gmail.com>
Date: Wed, 12 Jun 2024 11:54:38 +0200
Message-ID: <CAApBw34f=+SbGJsiOMvXiK-5-j-Bg-RHkBOnXkKDa7ThLvfe6w@mail.gmail.com>
Subject: Oracle Linux 9 Detected RPMs with RSA/SHA1 signature
To: pgsql-general <pgsql-general@postgresql.org>
Content-Type: multipart/alternative; boundary="000000000000d4768d061aae5f63"
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CAApBw34f%3D%2BSbGJsiOMvXiK-5-j-Bg-RHkBOnXkKDa7ThLvfe6w%40mail.gmail.com>
Precedence: bulk

--000000000000d4768d061aae5f63
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi

On my test server I have Oracle Linux 8.10 installed.
Here I have installed postgresql 16.1 from postgresql.org repository.

Upgrade to Oracle Linux 9:
When doing a =C2=BBleapp preupgrade --oraclelinux=C2=AB I get the message b=
elow.

I want to have postgresql.org as my repo for PostgreSQL and Oracle Linux
for the rest. But it fails due to this SHA1 signature.

As Oracle Linux 8 since April 2024 now have PostgreSQL 16.1 in the repo I
could just disable the pg-repo and use the ol-repo. But is this the
recommended way to do it?


Output from /var/log/leapp/leapp-report.txt

Risk Factor: high (inhibitor)
Title: Detected RPMs with RSA/SHA1 signature
Summary: Digital signatures using SHA-1 hash algorithm are no longer
considered secure and are not allowed to be used on OL 9 systems by
default. This causes issues when using DNF/RPM to handle packages with
RSA/SHA1 signatures as the signature cannot be checked with the default
cryptographic policy. Any such packages cannot be installed, removed, or
replaced unless the signature check is disabled in dnf/rpm or SHA-1 is
enabled using non-default crypto-policies. For more information see the
following documents:
  - Major changes in OL 9:
https://docs.oracle.com/en/operating-systems/oracle-linux/9/relnotes9.4/ol9=
-NewFeaturesandChanges.html
  - Security Considerations in adopting OL 9:
https://docs.oracle.com/en/operating-systems/oracle-linux/9/security/securi=
ty-ImplementingAdditionalSecurityFeaturesandBestPractices.html#system-crypt=
o-policies
 The list of problematic packages:
    - libpq5 (DSA/SHA1, Fri 15 Sep 2023 12:11:13 PM CEST, Key ID
1f16d2e1442df0f8)
    - postgresql16 (DSA/SHA1, Mon 20 Nov 2023 10:56:22 AM CET, Key ID
1f16d2e1442df0f8)
    - pgdg-redhat-repo (DSA/SHA1, Thu 14 Sep 2023 02:41:37 PM CEST, Key ID
1f16d2e1442df0f8)
    - postgresql16-libs (DSA/SHA1, Mon 20 Nov 2023 10:56:22 AM CET, Key ID
1f16d2e1442df0f8)
    - postgresql16-contrib (DSA/SHA1, Mon 20 Nov 2023 10:56:23 AM CET, Key
ID 1f16d2e1442df0f8)
    - postgresql16-server (DSA/SHA1, Mon 20 Nov 2023 10:56:22 AM CET, Key
ID 1f16d2e1442df0f8)
Related links:
    - Major changes in OL 9:
https://docs.oracle.com/en/operating-systems/oracle-linux/9/relnotes9.4/ol9=
-NewFeaturesandChanges.html
    - Security Considerations in adopting OL 9:
https://docs.oracle.com/en/operating-systems/oracle-linux/9/security/securi=
ty-ImplementingAdditionalSecurityFeaturesandBestPractices.html#system-crypt=
o-policies
Remediation: [hint] It is recommended that you contact your package vendor
and ask them for new builds signed with supported signatures and install
the new packages before the upgrade. If this is not possible you may
instead remove the incompatible packages.
Key: f16f40f49c2329a2691c0801b94d31b6b3d4f876

--=20
=F0=9D=95=B3=F0=9D=96=86=F0=9D=96=93=F0=9D=96=98 =F0=9D=95=BE=F0=9D=96=88=
=F0=9D=96=8D=F0=9D=96=94=F0=9D=96=9A
=E2=98=8F =E2=9E=81=E2=9E=81 =E2=9E=85=E2=9E=83 =E2=9E=87=E2=93=AA =E2=9E=
=81=E2=93=AA

--000000000000d4768d061aae5f63
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hi</div><div><br></div><div>On my test server I have =
Oracle Linux 8.10 installed.</div><div>Here I have installed postgresql 16.=
1 from <a href=3D"http://postgresql.org">postgresql.org</a> repository.<br>=
</div><div><br></div><div>Upgrade to Oracle Linux 9:<br></div><div>When doi=
ng a =C2=BBleapp preupgrade --oraclelinux=C2=AB I get the message below.<br=
></div><div><br></div><div>I want to have <a href=3D"http://postgresql.org"=
>postgresql.org</a> as my repo for PostgreSQL and Oracle Linux for the rest=
. But it fails due to this SHA1 signature.<br></div><div><br></div><div>As =
Oracle Linux 8 since April 2024 now have PostgreSQL 16.1 in the repo I coul=
d just disable the pg-repo and use the ol-repo. But is this the recommended=
 way to do it?<br></div><div><br></div><div><br></div><div>Output from /var=
/log/leapp/leapp-report.txt</div><div><br></div><div>Risk Factor: high (inh=
ibitor)<br>Title: Detected RPMs with RSA/SHA1 signature<br>Summary: Digital=
 signatures using SHA-1 hash algorithm are no longer considered secure and =
are not allowed to be used on OL 9 systems by default. This causes issues w=
hen using DNF/RPM to handle packages with RSA/SHA1 signatures as the signat=
ure cannot be checked with the default cryptographic policy. Any such packa=
ges cannot be installed, removed, or replaced unless the signature check is=
 disabled in dnf/rpm or SHA-1 is enabled using non-default crypto-policies.=
 For more information see the following documents:<br>=C2=A0 - Major change=
s in OL 9: <a href=3D"https://docs.oracle.com/en/operating-systems/oracle-l=
inux/9/relnotes9.4/ol9-NewFeaturesandChanges.html">https://docs.oracle.com/=
en/operating-systems/oracle-linux/9/relnotes9.4/ol9-NewFeaturesandChanges.h=
tml</a><br>=C2=A0 - Security Considerations in adopting OL 9: <a href=3D"ht=
tps://docs.oracle.com/en/operating-systems/oracle-linux/9/security/security=
-ImplementingAdditionalSecurityFeaturesandBestPractices.html#system-crypto-=
policies">https://docs.oracle.com/en/operating-systems/oracle-linux/9/secur=
ity/security-ImplementingAdditionalSecurityFeaturesandBestPractices.html#sy=
stem-crypto-policies</a><br>=C2=A0The list of problematic packages: <br>=C2=
=A0 =C2=A0 - libpq5 (DSA/SHA1, Fri 15 Sep 2023 12:11:13 PM CEST, Key ID 1f1=
6d2e1442df0f8)<br>=C2=A0 =C2=A0 - postgresql16 (DSA/SHA1, Mon 20 Nov 2023 1=
0:56:22 AM CET, Key ID 1f16d2e1442df0f8)<br>=C2=A0 =C2=A0 - pgdg-redhat-rep=
o (DSA/SHA1, Thu 14 Sep 2023 02:41:37 PM CEST, Key ID 1f16d2e1442df0f8)<br>=
=C2=A0 =C2=A0 - postgresql16-libs (DSA/SHA1, Mon 20 Nov 2023 10:56:22 AM CE=
T, Key ID 1f16d2e1442df0f8)<br>=C2=A0 =C2=A0 - postgresql16-contrib (DSA/SH=
A1, Mon 20 Nov 2023 10:56:23 AM CET, Key ID 1f16d2e1442df0f8)<br>=C2=A0 =C2=
=A0 - postgresql16-server (DSA/SHA1, Mon 20 Nov 2023 10:56:22 AM CET, Key I=
D 1f16d2e1442df0f8)<br>Related links:<br>=C2=A0 =C2=A0 - Major changes in O=
L 9: <a href=3D"https://docs.oracle.com/en/operating-systems/oracle-linux/9=
/relnotes9.4/ol9-NewFeaturesandChanges.html">https://docs.oracle.com/en/ope=
rating-systems/oracle-linux/9/relnotes9.4/ol9-NewFeaturesandChanges.html</a=
><br>=C2=A0 =C2=A0 - Security Considerations in adopting OL 9: <a href=3D"h=
ttps://docs.oracle.com/en/operating-systems/oracle-linux/9/security/securit=
y-ImplementingAdditionalSecurityFeaturesandBestPractices.html#system-crypto=
-policies">https://docs.oracle.com/en/operating-systems/oracle-linux/9/secu=
rity/security-ImplementingAdditionalSecurityFeaturesandBestPractices.html#s=
ystem-crypto-policies</a><br>Remediation: [hint] It is recommended that you=
 contact your package vendor and ask them for new builds signed with suppor=
ted signatures and install the new packages before the upgrade. If this is =
not possible you may instead remove the incompatible packages.<br>Key: f16f=
40f49c2329a2691c0801b94d31b6b3d4f876</div><div><br><span class=3D"gmail_sig=
nature_prefix">-- </span><br><div dir=3D"ltr" class=3D"gmail_signature" dat=
a-smartmail=3D"gmail_signature"><div dir=3D"ltr"><div><div dir=3D"ltr"><div=
>=F0=9D=95=B3=F0=9D=96=86=F0=9D=96=93=F0=9D=96=98=C2=A0=F0=9D=95=BE=F0=9D=
=96=88=F0=9D=96=8D=F0=9D=96=94=F0=9D=96=9A<br></div><div>=E2=98=8F =E2=9E=
=81=E2=9E=81 =E2=9E=85=E2=9E=83 =E2=9E=87=E2=93=AA =E2=9E=81=E2=93=AA<br></=
div></div></div></div></div></div></div>

--000000000000d4768d061aae5f63--