Bug 2059424

Note that the key *does* import on RPM 4.17.0 in Fedora Linux 36 (which links to OpenSSL 3.0)

Fedora Linux 36 reproducer:

ngompa@fedora ~> podman run --pull=always --rm -it fedora:36
Trying to pull registry.fedoraproject.org/fedora:36...
Getting image source signatures
Copying blob 9b4565f05748 done
Copying config c334c89acc done
Writing manifest to image destination
Storing signatures
[root@07581dff93bd /]# rpm -q openssl-libs
openssl-libs-3.0.0-1.fc36.x86_64
[root@07581dff93bd /]# rpm -q rpm
rpm-4.17.0-9.fc36.x86_64
[root@07581dff93bd /]# rpm --verbose --import https://raw.githubusercontent.com/xsuchy/distribution-gpg-keys/main/keys/centos/RPM-GPG-KEY-CentOS-SIG-Extras
[root@07581dff93bd /]# rpm -qi gpg-pubkey-1d997668-61bae63b
Name        : gpg-pubkey
Version     : 1d997668
Release     : 61bae63b
Architecture: (none)
Install Date: Tue Mar  1 02:16:51 2022
Group       : Public Keys
Size        : 0
License     : pubkey
Signature   : (none)
Source RPM  : (none)
Build Date  : Thu Dec 16 07:09:47 2021
Build Host  : localhost
Packager    : CentOS Extras SIG (https://wiki.centos.org/SpecialInterestGroup) <security>
Summary     : CentOS Extras SIG (https://wiki.centos.org/SpecialInterestGroup) <security> public key
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.17.0 (NSS-3)

mQENBGG65jsBCADef7Fspss6f2PKrlrxufWlBaQI+kcdSDbY7o/dyyjpT7dcX8t8
Ou73irjiShK3q0pdrh1Wy/mXc7RIJwAbCt9OVgyx4PV6AW5LfU7P7xyEAbTgLhz9
lLPjBGhBvfRpW+7naPqkTcIKxpVR8Khq6fsvThGCNzNkGa46F1srE3mf1zC9wdVR
VtXO7gHEZ2LrNcl195jZkBQOLcXANcSOFh5eRfhumULmk4XgCGmZQT5UNFofqOmn
aWQGBq3XaU7RWjl7RH+IS2EW0rAtz9Le+cH+j0aFhzo7jBMOxGYG62rUaHdxssjV
S1CrfpYT6NeG5i/1hiP4hO9suezJw4yuXNZ3ABEBAAG0VkNlbnRPUyBFeHRyYXMg
U0lHIChodHRwczovL3dpa2kuY2VudG9zLm9yZy9TcGVjaWFsSW50ZXJlc3RHcm91
cCkgPHNlY3VyaXR5QGNlbnRvcy5vcmc+iQE5BBMBAgAjBQJhuuY7AhsvBwsJCAcD
AgEGFQgCCQoLBBYCAwECHgECF4AACgkQH/aiFx2ZdmjUtwf9GX3exQy6bC/A7miq
I0yfoBR+jvZQKy7+U8vexbr0cgkYDTJ2zN3y+JL1391Y9CS0oDNqYLIv1BwHXAmX
EarpQV/YyEocnYXwcVLugKCnbIN92vMTiyb/NESx1vHbduK+B8wWo3bp3sPK+Ha/
zXrHXWSEgUeCBY/b7Tbl3GW8NX9Pr+yY0zHcvTfLByVH0KpNNLsyOsrCdk4MSKMl
IBZWDaUYVAbyHXB92wZlQOKp+HqRxNhceGHTzeXBymK1LadntlCYTaqsg3ErRq8p
ZwkpeyAi/avjIPYc53QE3dKGw2cUjZxkMOe6BoMbeLlO3+INdJBc/gcW4xUsQ28Y
QtY8jLkBDQRhuuY7AQgAs+enJDbwE/Iln3BnxodDQ3/1t9ULlMLJLiV+FgS7yREZ
QvhVQxFWaJqbiPV6EJVxEP5lUHND2DAE2ZTr60y0rI3ZAY52go+QYHXb+M5HC12H
HbhIDTWaETNo5heq/qyVSRT1u0g/yKCxQdyqnVsL86bro0wgrpj7XuApQifFhy16
AkDjhcB0C0dXkfvEnHJylWiHpp7upfSgOcGwQ+yRHOZWJnyF+OMrFfNiwD74/zEN
4RoNFgpqJZ81TF0qCdllTYGAXXUdYsJlg64dH0u84naTOFIuInywCmNyPmC8e8/0
g56hCV2L7bRJGjBCa6VH+TgvVGnkFsoMM9ijhuTIIQARAQABiQI+BBgBAgAJBQJh
uuY7AhsuASkJEB/2ohcdmXZowF0gBBkBAgAGBQJhuuY7AAoJEItcgRH8pdD/Zv0I
AIdipgQOIf7JcWmXli29nFedwdY1RJbKxABP2vMioYXDXjTkLBFsE9v4upnVnIZy
EM6IyrN8qaEVGMbCAiG+G+ABc3P/2mIWjlk4TUR4dFMGrnjbtGAalRd1EVJX/x8N
Vr9er+EMJDYR0PhKIQkZbUdjwYwB0R1wyJsvTsVf7k52Y013oI9iZd7nkOZxeKZX
qlHLbf1fSY6szmHEGVu/LNY8gUc3n2z8UByiqeJ2unrU5iL4FQ45DAoUWT0Y2WBF
WTYvJCTNGmiuKroBqC+nFgUekWJGvv3hBTHd5Eq54PWoWzV9BeM7XWdmpT66xOgb
ye5/zLerWSoC+8fVdBqW7LSEqggAzRaID+mLFPTe2LbQkaBkmIpqeoDOy700Xy6K
VW05GndH0E0t86DbQClFyzucYLzX2dXyV2DWjoWDIevQnS51zzsd+lWyuKPICKte
+K+yk5QEiwgaDf5oPmI8WL2zIAfiwVHlU0epMLU1pZLAQYotsQ6m5qPPMVXcfIqF
3UJwZEnZRccfOKq1hHSS2/Ns4ihAfkrfes1IFLSzbyvinXQUqFVrY8oZCKhNPSRd
IXXPIx0KvnlI9e0EittvsrQxebAa2MwLXOVYL8WVvOLY7oNTrOxe45jOdzMz2+rK
dodVWwuBwNKuwSE6b5A0dwUj8ZEo/5L4noufZF6aGOLdbVcoUg==
=RGYd
-----END PGP PUBLIC KEY BLOCK-----


CentOS Stream 9 reproducer:

ngompa@fedora ~> podman run --pull=always --rm -it centos:stream9
Trying to pull quay.io/centos/centos:stream9...
Getting image source signatures
Copying blob 972147051161 skipped: already exists
Copying config 1ddb9bedee done
Writing manifest to image destination
Storing signatures
[root@f367491929dc /]# rpm -q openssl-libs
openssl-libs-3.0.1-12.el9.x86_64
[root@f367491929dc /]# rpm -q rpm
rpm-4.16.1.3-11.el9.x86_64
[root@f367491929dc /]# rpm --verbose --import https://raw.githubusercontent.com/xsuchy/distribution-gpg-keys/main/keys/centos/RPM-GPG-KEY-CentOS-SIG-Extras
error: https://raw.githubusercontent.com/xsuchy/distribution-gpg-keys/main/keys/centos/RPM-GPG-KEY-CentOS-SIG-Extras: key 1 import failed.

The difference between Fedora and CentOS/RHEL here is that CS9 is further along on OpenSSL 3.0 (with 3.0.1) and Fedora has RPM 4.16.1.3 with some 4.17.0 backports.

> The difference between Fedora and CentOS/RHEL here is that CS9 is further along on OpenSSL 3.0 (with 3.0.1) and Fedora has RPM 4.16.1.3 with some 4.17.0 backports.

Ugh, wow. I mean CS9 has OpenSSL 3.0.1 and RPM 4.16.1.3 with 4.17.0 backports, while Fedora has OpenSSL 3.0.0 and RPM 4.17.0.

As another datapoint, building rpm master on FC35 against `openssl-1.1.1l-2.fc35.x86_64`, the issue does not reproduce.

I tried a several recent openssl builds, and it appears that -9 is where this got broken.

openssl-3.0.1-14.el9	fails
openssl-3.0.1-13.el9	fails
openssl-3.0.1-12.el9	fails
openssl-3.0.1-11.el9	fails
openssl-3.0.1-10.el9	fails
openssl-3.0.1-9.el9	fails
openssl-3.0.1-7.el9	works
openssl-3.0.1-5.el9	works
openssl-3.0.1-4.el9	works

I'm not sure if it's relevant or not, but I noticed that the RPM-GPG-KEY-centosofficial key is rsa4096, but the RPM-GPG-KEY-CentOS-SIG-Extras key is rsa2048.  Could openssl be blocking it because of this?

https://gitlab.com/redhat/centos-stream/rpms/openssl/-/commit/d79f404164cf13ca54b1e8aef814d22007b77fbd
https://gitlab.com/redhat/centos-stream/rpms/openssl/-/commit/53b85f538ce686d9753c04f4ac7a75d117b8f32e
https://gitlab.com/redhat/centos-stream/rpms/openssl/-/commit/78fb78d30755ae18fdaef28ef392f4e67c662ff6

are the patchesthat made it in between openssl-3.0.1-7.el9 and openssl-3.0.1-9.el9.

*** This bug has been marked as a duplicate of bug 2059101 ***

This isn't a duplicate of the rpm or openssl bug, it's a bug in the centos-release package, which uses a SHA1 signature of a subkey that can also be used for signing. It's the equivalent of https://bugzilla.redhat.com/show_bug.cgi?id=2058497, except it shouldn't be assigned to redhat-release, but centos-release. There isn't a centos-release component in bugzilla as far as I can see, so I'm not sure where to send it.

The change that caused this to fail is https://bugzilla.redhat.com/show_bug.cgi?id=2031742, btw.

I didn't want to change the resolution or component, but since I accidentally did that now, might as well re-open so that the redhat-release maintainers can hopefully re-assign this correctly.

Can someone please remove the automatic redhat-private flag on this? There's nothing sensitive in this BZ.

https://gitlab.com/redhat/centos-stream/rpms/centos-release/-/commit/d11bd36e8491652d21ceca69e81ef7aeee433445
https://gitlab.com/redhat/centos-stream/rpms/centos-release/-/commit/ba747b459dd4929fef03102438aef3d4c015ebd1

This is fixed in centos-stream-release-9.0-12.el9, which is now available on the mirrors and in the latest container image.

[carl@teal:~]$ podman run -it --rm --pull always centos:stream9
Trying to pull quay.io/centos/centos:stream9...
Getting image source signatures
Copying blob f1891b8c8dcd skipped: already exists  
Copying config 44ffcc4ace done  
Writing manifest to image destination
Storing signatures
[root@9155e2b271cd /]# rpm -q centos-stream-release
centos-stream-release-9.0-12.el9.noarch
[root@9155e2b271cd /]# dnf --quiet repoquery --nvr --latest-limit 1 centos-stream-release
centos-stream-release-9.0-12.el9
[root@9155e2b271cd /]# rpm -q gpg-pubkey
package gpg-pubkey is not installed
[root@9155e2b271cd /]# rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Extras-SHA512
[root@9155e2b271cd /]# rpm -q gpg-pubkey
gpg-pubkey-1d997668-621e3cac