Fedora – F38 – ‘Old’ RPMs Gotcha, and Workaround..

Adventures With Linux ™ Posted on by

Testing Fedora 38, and found a problem with some ‘legacy’ RPMs..

Fedora 38 now strictly enforces SHA256 for all RPMs and older/third-party ones still using SHA1 now throw an error:

# rpm -q webmin
error: rpmdbNextIterator: skipping h# 2316
Header V4 DSA/SHA1 Signature, key ID 11f63c51: BAD
Header SHA1 digest: OK
package webmin is not installed
But…:
# dnf install webmin
Last metadata expiration check: 3:54:28 ago on Mon 27 Feb 2023 01:05:06 PM PST.
Package webmin-2.013-1.noarch is already installed.
Dependencies resolved.
Nothing to do.
Complete!

A new webmin install also fails when the key import is attempted:
# rpm –import jcameron-key.asc
error: Certificate D97A3AE911F63C51:
Policy rejects D97A3AE911F63C51: Policy rejected asymmetric algorithm
error: jcameron-key.asc: key 1 import failed.

Older Fedora RPMs on an F38 system may also exhibit the same failures:

# rpm -qa |grep fc33
error: rpmdbNextIterator: skipping h# 1
Header V4 RSA/SHA256 Signature, key ID 9570ff31: BAD
Header SHA256 digest: OK
Header SHA1 digest: OK
error: rpmdbNextIterator: skipping h# 7
Header V4 RSA/SHA256 Signature, key ID 9570ff31: BAD
Header SHA256 digest: OK
Header SHA1 digest: OK
error: rpmdbNextIterator: skipping h# 8
Header V4 RSA/SHA256 Signature, key ID 9570ff31: BAD
Header SHA256 digest: OK
Header SHA1 digest: OK

It seems that Fedora RPMs from F34 onwards are OK, but any from F33 or earlier will fail..

Background info on this can be found here:   https://ask.fedoraproject.org/t/popular-third-party-rpms-fail-to-install-update-remove-due-to-security-policies-verification/31594

I tried the suggested workarounds from the article:
# update-crypto-policies –set DEFAULT:SHA1  (reboot)
and
# update-crypto-policies –set LEGACY   (reboot)
– but the problem still persisted..

I eventually found a workaround – by downgrading the RPM subsystem to the Fedora 37 version..
# dnf downgrade rpm –releasever=37
………….
Downgrading:
python3-rpm x86_64 4.18.0-1.fc37 fedora 93 k
rpm x86_64 4.18.0-1.fc37 fedora 570 k
rpm-build x86_64 4.18.0-1.fc37 fedora 77 k
rpm-build-libs x86_64 4.18.0-1.fc37 fedora 94 k
rpm-libs x86_64 4.18.0-1.fc37 fedora 319 k
rpm-plugin-selinux x86_64 4.18.0-1.fc37 fedora 20 k
rpm-plugin-systemd-inhibit x86_64 4.18.0-1.fc37 fedora 20 k
rpm-sign-libs x86_64 4.18.0-1.fc37 fedora 27 k

And then all the ‘old’ RPMs were correctly identified, and could be uninstalled as required..

Robert Gadsdon.   February 27th 2023.

Comments

Fedora – F38 – ‘Old’ RPMs Gotcha, and Workaround.. — No Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.