{"id":3097,"date":"2023-02-27T17:21:08","date_gmt":"2023-02-28T01:21:08","guid":{"rendered":"https:\/\/rglinuxtech.com\/?p=3097"},"modified":"2023-02-27T17:21:08","modified_gmt":"2023-02-28T01:21:08","slug":"fedora-f38-old-rpms-gotcha-and-workaround","status":"publish","type":"post","link":"https:\/\/rglinuxtech.com\/?p=3097","title":{"rendered":"Fedora – F38 – ‘Old’ RPMs Gotcha, and Workaround.."},"content":{"rendered":"

Testing Fedora 38<\/strong>, and found a problem with some ‘legacy’ RPMs..<\/p>\n

Fedora 38 now strictly enforces SHA256 for all RPMs and older\/third-party ones still using SHA1 now throw an error:<\/p>\n

# rpm -q webmin<\/span><\/strong>
\nerror: rpmdbNextIterator: skipping h# 2316<\/span><\/strong>
\nHeader V4 DSA\/SHA1 Signature, key ID 11f63c51: BAD<\/span><\/strong>
\nHeader SHA1 digest: OK<\/span><\/strong>
\npackage webmin is not installed<\/span><\/strong>
\nBut…:
\n# dnf install webmin<\/span><\/strong>
\nLast metadata expiration check: 3:54:28 ago on Mon 27 Feb 2023 01:05:06 PM PST.<\/span><\/strong>
\nPackage webmin-2.013-1.noarch is already installed.<\/span><\/strong>
\nDependencies resolved.<\/span><\/strong>
\nNothing to do.<\/span><\/strong>
\nComplete!<\/span><\/strong><\/p>\n

A new webmin install also fails when the key import is attempted:
\n# rpm –import jcameron-key.asc<\/strong><\/span>
\nerror: Certificate D97A3AE911F63C51:<\/strong><\/span>
\nPolicy rejects D97A3AE911F63C51: Policy rejected asymmetric algorithm<\/strong><\/span>
\nerror: jcameron-key.asc: key 1 import failed.<\/strong><\/span><\/p>\n

Older Fedora RPMs on an F38 system may also exhibit the same failures:<\/p>\n

# rpm -qa |grep fc33<\/strong><\/span>
\nerror: rpmdbNextIterator: skipping h# 1<\/strong><\/span>
\nHeader V4 RSA\/SHA256 Signature, key ID 9570ff31: BAD<\/strong><\/span>
\nHeader SHA256 digest: OK<\/strong><\/span>
\nHeader SHA1 digest: OK<\/strong><\/span>
\nerror: rpmdbNextIterator: skipping h# 7<\/strong><\/span>
\nHeader V4 RSA\/SHA256 Signature, key ID 9570ff31: BAD<\/strong><\/span>
\nHeader SHA256 digest: OK<\/strong><\/span>
\nHeader SHA1 digest: OK<\/strong><\/span>
\nerror: rpmdbNextIterator: skipping h# 8<\/strong><\/span>
\nHeader V4 RSA\/SHA256 Signature, key ID 9570ff31: BAD<\/strong><\/span>
\nHeader SHA256 digest: OK<\/strong><\/span>
\nHeader SHA1 digest: OK<\/strong><\/span><\/p>\n

It seems that Fedora RPMs from F34 onwards are OK, but any from F33 or earlier will fail..<\/p>\n

Background info on this can be found here:\u00a0\u00a0 https:\/\/ask.fedoraproject.org\/t\/popular-third-party-rpms-fail-to-install-update-remove-due-to-security-policies-verification\/31594<\/a><\/p>\n

I tried the suggested workarounds from the article:
\n# update-crypto-policies –set DEFAULT:SHA1<\/span><\/strong>\u00a0 (reboot)
\nand
\n# update-crypto-policies –set LEGACY<\/span><\/strong>\u00a0\u00a0 (reboot)
\n– but the problem still persisted..<\/p>\n

I eventually found a workaround – by downgrading<\/span> the RPM subsystem to the Fedora 37 version..
\n# dnf downgrade rpm –releasever=37
\n………….
\nDowngrading:
\npython3-rpm x86_64 4.18.0-1.fc37 fedora 93 k
\nrpm x86_64 4.18.0-1.fc37 fedora 570 k
\nrpm-build x86_64 4.18.0-1.fc37 fedora 77 k
\nrpm-build-libs x86_64 4.18.0-1.fc37 fedora 94 k
\nrpm-libs x86_64 4.18.0-1.fc37 fedora 319 k
\nrpm-plugin-selinux x86_64 4.18.0-1.fc37 fedora 20 k
\nrpm-plugin-systemd-inhibit x86_64 4.18.0-1.fc37 fedora 20 k
\nrpm-sign-libs x86_64 4.18.0-1.fc37 fedora 27 k<\/strong><\/span><\/p>\n

And then all the ‘old’ RPMs were correctly identified, and could be uninstalled as required..<\/p>\n

Robert Gadsdon.\u00a0\u00a0 February 27th 2023.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Testing Fedora 38, and found a problem with some ‘legacy’ RPMs.. Fedora 38 now strictly enforces SHA256 for all RPMs and older\/third-party ones still using SHA1 now throw an error: # rpm -q webmin error: rpmdbNextIterator: skipping h# 2316 Header V4 DSA\/SHA1 Signature, key ID 11f63c51: BAD Header SHA1 digest: OK package webmin is not installed But…: …<\/span> Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[10,11,19,2541],"tags":[2545,2539,2542,2546,2544,2543,418],"class_list":["post-3097","post","type-post","status-publish","format-standard","hentry","category-fedora","category-hacks","category-opinion","category-workaround","tag-bad","tag-fedora-38","tag-old-rpm-gotcha","tag-rpm-downgrade","tag-sha1","tag-sha256","tag-workaround"],"_links":{"self":[{"href":"https:\/\/rglinuxtech.com\/index.php?rest_route=\/wp\/v2\/posts\/3097","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rglinuxtech.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rglinuxtech.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rglinuxtech.com\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/rglinuxtech.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3097"}],"version-history":[{"count":1,"href":"https:\/\/rglinuxtech.com\/index.php?rest_route=\/wp\/v2\/posts\/3097\/revisions"}],"predecessor-version":[{"id":3098,"href":"https:\/\/rglinuxtech.com\/index.php?rest_route=\/wp\/v2\/posts\/3097\/revisions\/3098"}],"wp:attachment":[{"href":"https:\/\/rglinuxtech.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3097"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rglinuxtech.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3097"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rglinuxtech.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3097"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}