RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1962234 - GPG generated with default algorithm is not accepted by rpm --addsign
Summary: GPG generated with default algorithm is not accepted by rpm --addsign
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: rpm
Version: 9.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: beta
: ---
Assignee: Michal Domonkos
QA Contact: Eva Mrakova
Mariya Pershina
URL:
Whiteboard:
Depends On:
Blocks: 2001937
TreeView+ depends on / blocked
 
Reported: 2021-05-19 14:44 UTC by Jan Blazek
Modified: 2022-05-17 12:27 UTC (History)
5 users (show)

Fixed In Version: rpm-4.16.1.3-4.el9
Doc Type: Enhancement
Doc Text:
.RPM now supports the EdDSA public key algorithm With this enhancement, the `rpm` command supports signing keys using the EdDSA public key algorithm. As a result, signing keys generated using EdDSA can now be used for signing and verifying packages. Note that, however signing keys using EdDSA are now supported, RSA continues to be the default public key algorithm in GnuPG.
Clone Of:
: 2001937 (view as bug list)
Environment:
Last Closed: 2021-12-07 21:44:43 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Jan Blazek 2021-05-19 14:44:54 UTC 
Description of problem:
In upstream test suite for DNF (ci-dnf-stack) that we use also for RHEL downstream testing we generate GPG keys with `gpg --quick-gen-key [...] default` to have sane default keys for every platform (RHEL 8, RHEL 9, Fedora).
Unfortunately, in RHEL 9 this key is not accepted by rpm --add-sign afterwards.

Although I can workaround this by temporarily setting the key algorithm to for example dsa I guess that defaults for GPG keys in RHEL-9 are not correct.

Version-Release number of selected component (if applicable):
gnupg2-2.3.1-1.el9.x86_64

How reproducible:
always

Steps to Reproduce:
gpg2 --batch --passphrase '' --quick-gen-key dnf-ci-gpg default default 0


Actual results:
+ gpg2 --batch --passphrase '' --quick-gen-key dnf-ci-gpg default default 0
gpg: directory '/tmp/tmp.Xtn5xdKjvi/gpghome/.gnupg' created
gpg: keybox '/tmp/tmp.Xtn5xdKjvi/gpghome/.gnupg/pubring.kbx' created
gpg: /tmp/tmp.Xtn5xdKjvi/gpghome/.gnupg/trustdb.gpg: trustdb created
gpg: key 84FEB6FF8A687698 marked as ultimately trusted
gpg: directory '/tmp/tmp.Xtn5xdKjvi/gpghome/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/tmp/tmp.Xtn5xdKjvi/gpghome/.gnupg/openpgp-revocs.d/9F6AEE8AE7C95E34E8F4031C84FEB6FF8A687698.rev'
[...]
+ rpm --addsign /opt/ci/dnf-behave-tests/fixtures/gpgkeys/../repos/dnf-ci-gpg/noarch/setup-2.12.1-1.fc29.noarch.rpm
warning: Could not set GPG_TTY to stdin: Inappropriate ioctl for device
error: Unsupported PGP pubkey algorithm 22

Expected results:
+ gpg2 --batch --passphrase '' --quick-gen-key dnf-ci-gpg default default 0
gpg: directory '/tmp/tmp.Xtn5xdKjvi/gpghome/.gnupg' created
gpg: keybox '/tmp/tmp.Xtn5xdKjvi/gpghome/.gnupg/pubring.kbx' created
gpg: /tmp/tmp.Xtn5xdKjvi/gpghome/.gnupg/trustdb.gpg: trustdb created
gpg: key 84FEB6FF8A687698 marked as ultimately trusted
gpg: directory '/tmp/tmp.Xtn5xdKjvi/gpghome/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/tmp/tmp.Xtn5xdKjvi/gpghome/.gnupg/openpgp-revocs.d/9F6AEE8AE7C95E34E8F4031C84FEB6FF8A687698.rev'
+ rpm --addsign /opt/ci/dnf-behave-tests/fixtures/gpgkeys/../repos/dnf-ci-gpg/noarch/setup-2.12
.1-1.fc29.noarch.rpm
warning: Could not set GPG_TTY to stdin: Inappropriate ioctl for device
warning: Could not set GPG_TTY to stdin: Inappropriate ioctl for device
/opt/ci/dnf-behave-tests/fixtures/gpgkeys/../repos/dnf-ci-gpg/noarch/setup-2.12.1-1.fc29.noarch.rpm:

Additional info:
Logs from building the test image on RHEL-9:
https://beaker-archive.host.prod.eng.bos.redhat.com/beaker-logs/2021/05/53675/5367529/9980957/125905578/taskout.log
Comment 1 Jakub Jelen 2021-05-20 07:00:36 UTC 
> error: Unsupported PGP pubkey algorithm 22

It looks like the default public key algorithm indeed changed to EdDSA. I missed this in release notes, but it is indeed there for 2.3.0:

> * gpg: Switch to ed25519/cv25519 as default public key algorithms.

It would be great if rpm could support this algorithm. It already has the defines for it so it knows it exists, but it can probably not handle it.

Given that this is a new upstream default and rpm is the on failing to process the new signature, I think we should change this bug to rpm.

But we should not use it for signing real rpm packages in RHEL at least for the FIPS sake, where this algorithm is not allowed these days.
Comment 2 Michal Domonkos 2021-05-20 12:16:18 UTC 
This is already supported upstream (RPM 4.17), so should be trivial to backport if need be:
https://github.com/rpm-software-management/rpm/commit/23770e1a4f28c56a31fe600cae332c77333b60b6
Comment 4 Simo Sorce 2021-05-24 21:32:25 UTC 
Jakub,
I think we should consider reverting the default for RHEL-9 or it will be hard to deal with different defaults between FIPS and non-FIPS mode, unless 186-5 (draft) gets approved soon...
Note You need to log in before you can comment on or make changes to this bug.