[
https://issues.apache.org/jira/browse/CASSANDRA-18986?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17781410#comment-17781410
]
Ekaterina Dimitrova commented on CASSANDRA-18986:
-------------------------------------------------
This is the official instruction, it contains also section about the KEYS file,
you might want to check the details.
https://infra.apache.org/release-signing.html
But one thing is:
”Since users may need the KEYS file to check signatures for archived releases,
it is important to retain in the file all keys that have ever been used to sign
releases. Add entries with eadch new key the project uses, but do not remove
entries.”
> SHA1 keys prevent installation on RHEL 9
> ----------------------------------------
>
> Key: CASSANDRA-18986
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18986
> Project: Cassandra
> Issue Type: Bug
> Components: Packaging
> Reporter: Brandon Williams
> Assignee: Brandon Williams
> Priority: Normal
> Fix For: 3.0.x, 3.11.x, 4.0.x, 4.1.x, 5.0.x, 5.x
>
>
> Due to the presence of SHA1 keys they have to be explicitly allowed before C*
> can be installed on RHEL 9-based systems:
> {quote}
> Importing GPG key 0xF2833C93:
> Userid : "Eric Evans <[email protected]>"
> Fingerprint: CEC8 6BB4 A0BA 9D0F 9039 7CAE F835 8FA2 F283 3C93
> From : https://downloads.apache.org/cassandra/KEYS
> Is this ok [y/N]: y
> Key imported successfully
> Importing GPG key 0x8D77295D:
> Userid : "Eric Evans <[email protected]>"
> Fingerprint: C496 5EE9 E301 5D19 2CCC F2B6 F758 CE31 8D77 295D
> From : https://downloads.apache.org/cassandra/KEYS
> Is this ok [y/N]: y
> Key imported successfully
> Importing GPG key 0x2B5C1B00:
> Userid : "Sylvain Lebresne (pcmanus) <[email protected]>"
> Fingerprint: 5AED 1BF3 78E9 A19D ADE1 BCB3 4BD7 36A8 2B5C 1B00
> From : https://downloads.apache.org/cassandra/KEYS
> Is this ok [y/N]: y
> warning: Signature not supported. Hash algorithm SHA1 not available.
> Key import failed (code 2). Failing package is: cassandra-4.0.11-1.noarch
> GPG Keys are configured as: https://downloads.apache.org/cassandra/KEYS
> The downloaded packages were saved in cache until the next successful
> transaction.
> You can remove cached packages by executing 'yum clean packages'.
> Error: GPG check FAILED
> {quote}
> This can be worked around by allowing SHA1:
> {quote}
> update-crypto-policies --set DEFAULT:SHA1
> {quote}
> https://www.redhat.com/en/blog/rhel-security-sha-1-package-signatures-distrusted-rhel-9
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
