[MDEV-35836] Repository signing key unable to be imported on CentOS Stream 10 - Jira

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: N/A
Fix Version/s: N/A
Component/s: None
Labels:
None
Environment:
CentOS Stream 10

Description

I'm unable to import the GPG signing key for the MariaDB repo in CentOS Stream 10.

# rpm --import https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY

error: Certificate CBCB082A1BB943DB:

  Policy rejects CBCB082A1BB943DB: No binding signature at time 2025-01-13T20:09:52Z

error: https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY: key 1 import failed.

After installing sequoia, downloading the GPG key, and examining it, the output show a problem with the SHA-1 signature algorithm. I don't really understand why, as according to the documentation (https://mariadb.com/kb/en/yum/#importing-the-mariadb-gpg-public-key), this issue was fixed back in 2023.

# dnf install -yq sequoia-sq

# curl -OL https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY

# sq inspect MariaDB-Server-GPG-KEY

MariaDB-Server-GPG-KEY: OpenPGP Certificate.

      Fingerprint: 199369E5404BD5FC7D2FE43BCBCB082A1BB943DB

                   Invalid: No binding signature at time 2025-01-13T20:13:29Z: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance, because SHA1 is not considered secure

  Public-key algo: DSA

  Public-key size: 1024 bits

    Creation time: 2010-02-02 20:01:20 UTC

           Subkey: D40485B86E6B5BDA57EF359E83940066672557E6

                   Invalid: Policy rejected non-revocation signature (SubkeyBinding) requiring second pre-image resistance

                   because: SHA1 is not considered secure

                   Invalid: primary key: No binding signature at time 2025-01-13T20:13:29Z, because Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance, because SHA1 is not considered secure

  Public-key algo: ElGamal

  Public-key size: 4096 bits

    Creation time: 2010-02-02 20:02:00 UTC

           UserID: MariaDB Package Signing Key <package-signing-key@mariadb.org>

                   Invalid: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance

                   because: SHA1 is not considered secure

   Certifications: 10, use --certifications to list

Note: There is another block of armored OpenPGP data.

Note: This is a non-standard extension to OpenPGP.

MariaDB-Server-GPG-KEY: OpenPGP Certificate.

      Fingerprint: 177F4010FE56CA3336300305F1656F24C74CD1D8

  Public-key algo: RSA

  Public-key size: 4096 bits

    Creation time: 2016-03-30 17:45:15 UTC

        Key flags: certification, signing

           Subkey: A6E773A1812E4B8FD94024AAC0F47944DE8F6914

  Public-key algo: RSA

  Public-key size: 4096 bits

    Creation time: 2016-03-30 17:45:15 UTC

        Key flags: transport encryption, data-at-rest encryption

           UserID: MariaDB Signing Key <signing-key@mariadb.org>

   Certifications: 6, use --certifications to list

Attempting to set the system security policy to "LEGACY" doesn't fix the issue, but does produce a different error.

# update-crypto-policies --set LEGACY

# rpm --import https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY

error: Certificate CBCB082A1BB943DB:

  Policy rejects CBCB082A1BB943DB: Policy rejected asymmetric algorithm

error: https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY: key 1 import failed.

# sq inspect MariaDB-Server-GPG-KEY

MariaDB-Server-GPG-KEY: OpenPGP Certificate.

      Fingerprint: 199369E5404BD5FC7D2FE43BCBCB082A1BB943DB

                   Invalid: Policy rejected asymmetric algorithm: DSA1024 is not considered secure

  Public-key algo: DSA

  Public-key size: 1024 bits

    Creation time: 2010-02-02 20:01:20 UTC

           Subkey: D40485B86E6B5BDA57EF359E83940066672557E6

                   Invalid: primary key: Policy rejected asymmetric algorithm, because DSA1024 is not considered secure

  Public-key algo: ElGamal

  Public-key size: 4096 bits

    Creation time: 2010-02-02 20:02:00 UTC

           UserID: MariaDB Package Signing Key <package-signing-key@mariadb.org>

   Certifications: 10, use --certifications to list

Note: There is another block of armored OpenPGP data.

Note: This is a non-standard extension to OpenPGP.

MariaDB-Server-GPG-KEY: OpenPGP Certificate.

      Fingerprint: 177F4010FE56CA3336300305F1656F24C74CD1D8

  Public-key algo: RSA

  Public-key size: 4096 bits

    Creation time: 2016-03-30 17:45:15 UTC

        Key flags: certification, signing

           Subkey: A6E773A1812E4B8FD94024AAC0F47944DE8F6914

  Public-key algo: RSA

  Public-key size: 4096 bits

    Creation time: 2016-03-30 17:45:15 UTC

        Key flags: transport encryption, data-at-rest encryption

           UserID: MariaDB Signing Key <signing-key@mariadb.org>

   Certifications: 6, use --certifications to list

Reference to the blog post I used to troubleshoot: https://www.redhat.com/en/blog/updating-gpg-keys-for-fedora-and-rhel

Attachments

Issue Links

relates to

MDBF-847 Add Centos Stream 10 as a CI builder

Open

Activity

There are no comments yet on this issue.

People

Assignee:: Daniel Bartholomew

Reporter:: Anton Castelli

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2025-01-13 20:35

Updated:: 2025-03-05 06:32

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server