RHEL8 upgrade to RHEL9 with Leapp: warning: Signature not supported. Hash algorithm SHA1 not available

Question

After upgrading some servers from RHEL8 to RHEL9 using the Leapp utility there's some warnings after the upgrade in dnf and rpm: warning: Signature not supported. Hash algorithm SHA1 not available.

Every time that I ran any of those commands I got this warnings:

[root@web ~]# rpm -q kernel
warning: Signature not supported. Hash algorithm SHA1 not available.
warning: Signature not supported. Hash algorithm SHA1 not available.
kernel-5.14.0-362.18.1.el9_3.x86_64
kernel-5.14.0-427.18.1.el9_4.x86_64
kernel-5.14.0-427.20.1.el9_4.x86_64

[root@web ~]# dnf repolist
warning: Signature not supported. Hash algorithm SHA1 not available.
warning: Signature not supported. Hash algorithm SHA1 not available.
Updating Subscription Management repositories.
repo id                          repo name
rhel-9-for-x86_64-appstream-rpms Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs)
rhel-9-for-x86_64-baseos-rpms    Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs)

I don't know from which package or what trigger this issue. The majority of the solution available on the web involves reenabling SHA1, which is not effectively a solution.

Also all the packages are tagged with el9 except for some gpg-pubkey packages, so I think there's nothing from RHEL9 around.

[root@web ~]# rpm -qa | grep -v el9
warning: Signature not supported. Hash algorithm SHA1 not available.
warning: Signature not supported. Hash algorithm SHA1 not available.
gpg-pubkey-fd431d51-4ae0493b
gpg-pubkey-a14fe591-578876fd
gpg-pubkey-d4082792-5b32db75

How can I trace the real issue to get rid of this warnings?

Answer 1

Alright, at least on all my servers that solved the issue:

rpm -e `rpm -qa | grep gpg-pubkey | xargs`

This command will forcefully remove all gpg-pubkey packages. And this seems to be OK, because if the keys are missing it will be reimported again on next dnf. I've tested on 20+ servers that were upgraded from RHEL8 using leapp.

Answer 2

Query all packages for their signature. Anyone can add on an "el9" to release string, not just RHEL.

rpm -qa --qf '%{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n' | grep SHA1

Old SHA1 are probably from third party repos. RHEL and Fedora have been using SHA256 or better for a while.

With any findings, be sure the packager is aware and working on RHEL 9 compatible signatures.

Remove any unneeded packages. Work around necessary packages with weak signatures by signing yourself. Download, verify, rpmsign --resign, add to a local repo. And of course this repo should verify with gpgcheck=1 and gpgkey. Only requires a host or two with legacy crypto policies, rather than all hosts.

dnf install --setopt=tsflags=nocrypto is a poor workaround, because you need to provide it every time or rpm will error. And no signature checks is worse than obsolete signature checks.