Apologies for not threading this in properly. I signed up to this mailing list just now specifically to complain.
Certain packages in the RHEL7 DSU_18.06.00 packages are signed with the key 1285491434D8786F which appears to be the Debian/Ubuntu signing key. This is breaking both upgrades (moderately annoying) and new installations (super annoying). In regards to Chandra's email. * Yes, this is very challenging and inconvenient. We would very much prefer that the release be rolled back until fixed * It is possible to do SHA-2 signatures with the existing DSU key * Changing the keys used to sign your packages is not a minor change because all established trust configurations must be updated * Dell's documented process for setting up new systems doesn't work because it only installs the 1024-bit DSU key. * It is true that the current DSU GPG key is 1024-bits which is too small. It is true that the current signatures are SHA-1 which are too weak. Signing should migrate to a 2048 or 4096 bit key with SHA-2 but this needs to be planned and communicated. * Improving the security of your packages requires that all packages (not just some) be signed with a stronger key with a stronger signature. So long as we are required to trust a weak key having some packages signed by a strong key doesn't improve security at all. Again, please backout the RHEL7 release. It's broken and we have to stop tracking you until the dsu symlink points at a working release. james
_______________________________________________ Linux-PowerEdge mailing list Linux-PowerEdge@dell.com https://lists.us.dell.com/mailman/listinfo/linux-poweredge
