Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IPU 9 -> 10: obsolete GPG key with SHA1 signature #1325

Merged
merged 1 commit into from
Jan 13, 2025
Merged

IPU 9 -> 10: obsolete GPG key with SHA1 signature #1325

merged 1 commit into from
Jan 13, 2025

Conversation

pirat89
Copy link
Member

@pirat89 pirat89 commented Jan 10, 2025
edited
Loading

When upgrading to RHEL 10, we have analogical problem as we had for IPU 8 -> 9 due to GPG keys with SHA1 signatures. The SHA1 algorithm is considered unsecure since RHEL 9 and all RPMs are required to be signed by keys with SHA2 signatures. The RHEL 9 GPG (auxiliary) key is unfortunately still signed with SHA1 and RHEL 10 tooling refuse to use it for any operations.

To resolve this apply the same solution as we did in the past:

  • obsolete original key
  • install the target RHEL 10 GPG keys during the upgrade

jira: RHEL-71517

TODO

  • add RHEL 10 GPG key to the trusted dir
    • checked, that present keys are already really the correct ones
  • test this manually to see whether it's complete or not :)

@github-actions GitHub Actions
Copy link

Thank you for contributing to the Leapp project!

Please note that every PR needs to comply with the Leapp Guidelines and must pass all tests in order to be mergeable.
If you want to request a review or rebuild a package in copr, you can use following commands as a comment:

  • review please @oamg/developers to notify leapp developers of the review request
  • /packit copr-build to submit a public copr build using packit

Packit will automatically schedule regression tests for this PR's build and latest upstream leapp build.
However, here are additional useful commands for packit:

  • /packit test to re-run manually the default tests
  • /packit retest-failed to re-run failed tests manually
  • /packit test oamg/leapp#42 to run tests with leapp builds for the leapp PR#42 (default is latest upstream - main - build)

Note that first time contributors cannot run tests automatically - they need to be started by a reviewer.

It is possible to schedule specific on-demand tests as well. Currently 2 test sets are supported, beaker-minimal and kernel-rt, both can be used to be run on all upgrade paths or just a couple of specific ones.
To launch on-demand tests with packit:

  • /packit test --labels kernel-rt to schedule kernel-rt tests set for all upgrade paths
  • /packit test --labels beaker-minimal-8.10to9.4,kernel-rt-8.10to9.4 to schedule kernel-rt and beaker-minimal test sets for 8.10->9.4 upgrade path

See other labels for particular jobs defined in the .packit.yaml file.

Please open ticket in case you experience technical problem with the CI. (RH internal only)

Note: In case there are problems with tests not being triggered automatically on new PR/commit or pending for a long time, please contact leapp-infra.

@pirat89
IPU 9 -> 10: obsolete GPG key with SHA1 signature
20257da 
When upgrading to RHEL 10, we have analogical problem as we had for
IPU 8 -> 9 due to GPG keys with SHA1 signatures. The SHA1 algorithm
is considered unsecure since RHEL 9 and all RPMs are required to be
signed by keys with SHA2 signatures. The RHEL 9 GPG (auxiliary) key
is unfortunately still signed with SHA1 and RHEL 10 tooling refuse
to use it for any operations.

To resolve this apply the same solution as we did in the past:
* obsolete original key
* install the target RHEL 10 GPG keys during the upgrade

jira: RHEL-71517
@pirat89 pirat89 force-pushed the ipu9to10-fix-invalid-gpg-keys branch from 6acdd31 to 20257da Compare January 10, 2025 14:32
@pirat89 pirat89 marked this pull request as ready for review January 10, 2025 17:03
@pirat89 pirat89 requested a review from a team January 10, 2025 17:04
@pirat89 pirat89 added this to the 8.10/9.6 milestone Jan 10, 2025
MichalHe
MichalHe approved these changes Jan 13, 2025
View reviewed changes
Copy link
Member

@MichalHe MichalHe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have checked that the patch works, upgrading from 9.5 > 10.0 on AWS. Current upstream crashes as it fails to verify gpg signatures. Using leapp build based on this PR proceeds with no problems, and the upgrade continues without problems, successfully upgrading to RHEL10.

LGTM

@MichalHe
Copy link
Member

The failing 9>10 tests are not related to this PR, hence merging.

@MichalHe MichalHe merged commit 75b8b96 into oamg:main Jan 13, 2025
20 of 23 checks passed
@MichalHe MichalHe added bug Something isn't working changelog-checked The merger/reviewer checked the changelog draft document and updated it when relevant labels Jan 13, 2025
@swapdisk swapdisk mentioned this pull request Jan 13, 2025
Open
@pirat89 pirat89 deleted the ipu9to10-fix-invalid-gpg-keys branch February 5, 2025 01:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MichalHe MichalHe MichalHe approved these changes

Assignees
No one assigned
Labels
bug Something isn't working changelog-checked The merger/reviewer checked the changelog draft document and updated it when relevant
Projects
None yet
Milestone
8.10/9.6
Development

Successfully merging this pull request may close these issues.
2 participants
@pirat89 @MichalHe