public inbox for [email protected]
help / color / mirror / Atom feedOracle Linux 9 Detected RPMs with RSA/SHA1 signature
2+ messages / 2 participants
[nested] [flat]
* Oracle Linux 9 Detected RPMs with RSA/SHA1 signature
@ 2024-06-12 09:54 Hans Schou <[email protected]>
2024-06-12 14:34 ` Re: Oracle Linux 9 Detected RPMs with RSA/SHA1 signature Adrian Klaver <[email protected]>
0 siblings, 1 reply; 2+ messages in thread
From: Hans Schou @ 2024-06-12 09:54 UTC (permalink / raw)
To: pgsql-general
Hi
On my test server I have Oracle Linux 8.10 installed.
Here I have installed postgresql 16.1 from postgresql.org repository.
Upgrade to Oracle Linux 9:
When doing a »leapp preupgrade --oraclelinux« I get the message below.
I want to have postgresql.org as my repo for PostgreSQL and Oracle Linux
for the rest. But it fails due to this SHA1 signature.
As Oracle Linux 8 since April 2024 now have PostgreSQL 16.1 in the repo I
could just disable the pg-repo and use the ol-repo. But is this the
recommended way to do it?
Output from /var/log/leapp/leapp-report.txt
Risk Factor: high (inhibitor)
Title: Detected RPMs with RSA/SHA1 signature
Summary: Digital signatures using SHA-1 hash algorithm are no longer
considered secure and are not allowed to be used on OL 9 systems by
default. This causes issues when using DNF/RPM to handle packages with
RSA/SHA1 signatures as the signature cannot be checked with the default
cryptographic policy. Any such packages cannot be installed, removed, or
replaced unless the signature check is disabled in dnf/rpm or SHA-1 is
enabled using non-default crypto-policies. For more information see the
following documents:
- Major changes in OL 9:
https://docs.oracle.com/en/operating-systems/oracle-linux/9/relnotes9.4/ol9-NewFeaturesandChanges.ht...
- Security Considerations in adopting OL 9:
https://docs.oracle.com/en/operating-systems/oracle-linux/9/security/security-ImplementingAdditional...
The list of problematic packages:
- libpq5 (DSA/SHA1, Fri 15 Sep 2023 12:11:13 PM CEST, Key ID
1f16d2e1442df0f8)
- postgresql16 (DSA/SHA1, Mon 20 Nov 2023 10:56:22 AM CET, Key ID
1f16d2e1442df0f8)
- pgdg-redhat-repo (DSA/SHA1, Thu 14 Sep 2023 02:41:37 PM CEST, Key ID
1f16d2e1442df0f8)
- postgresql16-libs (DSA/SHA1, Mon 20 Nov 2023 10:56:22 AM CET, Key ID
1f16d2e1442df0f8)
- postgresql16-contrib (DSA/SHA1, Mon 20 Nov 2023 10:56:23 AM CET, Key
ID 1f16d2e1442df0f8)
- postgresql16-server (DSA/SHA1, Mon 20 Nov 2023 10:56:22 AM CET, Key
ID 1f16d2e1442df0f8)
Related links:
- Major changes in OL 9:
https://docs.oracle.com/en/operating-systems/oracle-linux/9/relnotes9.4/ol9-NewFeaturesandChanges.ht...
- Security Considerations in adopting OL 9:
https://docs.oracle.com/en/operating-systems/oracle-linux/9/security/security-ImplementingAdditional...
Remediation: [hint] It is recommended that you contact your package vendor
and ask them for new builds signed with supported signatures and install
the new packages before the upgrade. If this is not possible you may
instead remove the incompatible packages.
Key: f16f40f49c2329a2691c0801b94d31b6b3d4f876
--
𝕳𝖆𝖓𝖘 𝕾𝖈𝖍𝖔𝖚
☏ ➁➁ ➅➃ ➇⓪ ➁⓪
^ permalink raw reply [nested|flat] 2+ messages in thread
* Re: Oracle Linux 9 Detected RPMs with RSA/SHA1 signature
2024-06-12 09:54 Oracle Linux 9 Detected RPMs with RSA/SHA1 signature Hans Schou <[email protected]>
@ 2024-06-12 14:34 ` Adrian Klaver <[email protected]>
0 siblings, 0 replies; 2+ messages in thread
From: Adrian Klaver @ 2024-06-12 14:34 UTC (permalink / raw)
To: Hans Schou <[email protected]>; pgsql-general
On 6/12/24 02:54, Hans Schou wrote:
> Hi
>
> On my test server I have Oracle Linux 8.10 installed.
> Here I have installed postgresql 16.1 from postgresql.org
> <http://postgresql.org; repository.
>
> Upgrade to Oracle Linux 9:
> When doing a »leapp preupgrade --oraclelinux« I get the message below.
>
> I want to have postgresql.org <http://postgresql.org; as my repo for
> PostgreSQL and Oracle Linux for the rest. But it fails due to this SHA1
> signature.
>
> As Oracle Linux 8 since April 2024 now have PostgreSQL 16.1 in the repo
> I could just disable the pg-repo and use the ol-repo. But is this the
> recommended way to do it?
>
Take a look at:
https://yum.postgresql.org/news/pgdg-rpm-repo-gpg-key-update/
Also the contact info for the RH packagers:
https://yum.postgresql.org/contact/
--
Adrian Klaver
[email protected]
^ permalink raw reply [nested|flat] 2+ messages in thread
end of thread, other threads:[~2024-06-12 14:34 UTC | newest]
Thread overview: 2+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2024-06-12 09:54 Oracle Linux 9 Detected RPMs with RSA/SHA1 signature Hans Schou <[email protected]>
2024-06-12 14:34 ` Adrian Klaver <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox