[ZendTo] Rocky 9 SHA1 Depreciation

Brad Beckenhauer BBecken at aafp.org
Thu Apr 25 22:27:58 BST 2024


Running Red Hat 9 64bit here.
These are my notes,  your mileage may vary on Rocky.

Given the gpg key is signed as SHA1, this is the workaround I have been testing and it at least allows zendto to be installed.

# Show the system-wide crypto policy currently in effect
update-crypto-policies --show
DEFAULT

# The zendto package is signed using SHA1, which is not available in the "DEFAULT" crypto-policy.
# The zendto package will fail to install if the SHA1 cipher is not available to verify the package authenticity.
# Solution: Set crypto-polices to ALLOW SHA1 as a "signing" key, so the zendto package can be installed.
update-crypto-policies --set DEFAULT:SHA1

!!!! It is recommended to restart/reboot the system for the change of policies to fully take place.

Reboot the system.

Then login as user root.

# Check crypto-policies and make sure it supports SHA1.
update-crypto-policies --show
DEFAULT:SHA1

# Import zendto's SHA1 gpg signing key.  The rpm utility has its own key management.
rpm --import https://zend.to/files/zendto.gpg.asc

# Continue the zendto installation.
Install zendto.

You can remove the SHA1 support after the zendto key is added.  But I'm not sure what impact this may have during a zendto update.
update-crypto-policies --set DEFAULT
________________________________
From: ZendTo <zendto-bounces at zend.to> on behalf of Matthew Fey via ZendTo <zendto at zend.to>
Sent: Monday, February 5, 2024 9:24 AM
To: zendto at zend.to <zendto at zend.to>
Cc: Matthew Fey <matthewf at prolific.ca>
Subject: [ZendTo] Rocky 9 SHA1 Depreciation


CAUTION: This email came from an EXTERNAL address. Use caution when clicking links or opening attachments.

When trying to run the installer on Rocky 9, installing the ZendTo package fails because the rpm is signed with SHA1, which is no longer supported by default in RHEL9 and equivalent.

Because of that, all further steps fail as the package and configuration files are never installed. I suspect this is the issue that Scott was having back in November when trying to do the same.



I could force the install to go through with the –nogpgcheck option, but I’d really rather avoid it.

Any chance of having the package updated soon with a SHA256 or SHA512 signature to take care of this going forward?



Thanks,



Matthew Fey, CCNA  |  Network System Administrator

Direct 204 697 6983
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20240425/0c5b9d94/attachment-0001.html>


More information about the ZendTo mailing list