Tuesday, June 28, 2022

RHEL 9 Custom Image and GCP

If you run into:
Header V4 RSA/SHA1 Signature, key ID 3e1ba8d5: BAD

This is because RHEL 9 disables SHA1 by default but Google is publishing gpg keys and RPM's relying on it.
Found the workaround over here: https://forums.centos.org/viewtopic.php?t=79048#p332382
You can check your current setting with:
cat /etc/crypto-policies/config

Then change it with:
update-crypto-policies --set DEFAULT:SHA1

For comparison, if you build a server from the CentOS Stream 9 image in GCP, it sets that to LEGACY.
I don't know off-hand if that's a CentOS or Google customization.
This also manifested as a problem with PackageKit importing the keys with the error message appearing in Cockpit.
It still doesn't work though. :(
failed to parse public key for /var/cache/PackageKit/9.0/metadata/google-compute-engine-9-x86_64.tmp/yum-key.gpg

I'll try again sometime later.

No comments: