RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2228185 - sa-update.cron GPG validation fails due to patch in gnupg2-2.3.3-3 that disables SHA-1
Summary: sa-update.cron GPG validation fails due to patch in gnupg2-2.3.3-3 that disab...
Keywords:
Status: CLOSED DUPLICATE of bug 2184640
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: spamassassin
Version: CentOS Stream
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Martin Osvald 🛹
QA Contact: František Hrdina
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-08-01 16:55 UTC by Andrew Schorr
Modified: 2023-09-27 16:40 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-02 05:05:12 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-164045 0 None None None 2023-08-01 16:55:51 UTC

Description Andrew Schorr 2023-08-01 16:55:00 UTC 
Description of problem:
The sa-update.timer runs sa-update.service, but sa-update.service fails
because it cannot seem to import the gpg key.

Version-Release number of selected component (if applicable):
spamassassin-3.4.6-5.el9.x86_64


How reproducible:
always

Steps to Reproduce:
1. run manually as root: /usr/share/spamassassin/sa-update.cron
2. (note that one of the daemons must be running: mimedefang spamd amavisd spampd)
3.

Actual results:
gpg: key 4056A61A5244EC45: new key but contains no user ID - skipped
gpg: key 4056A61A5244EC45: new key but contains no user ID - skipped
Update available for channel updates.spamassassin.org: -1 -> 1911365
http: (curl) GET https://www.sa-update.pccc.com/1911365.tar.gz, success
http: (curl) GET https://www.sa-update.pccc.com/1911365.tar.gz.sha512, success
http: (curl) GET https://www.sa-update.pccc.com/1911365.tar.gz.asc, success
gpg: process '/bin/gpg2' finished: exit 2
error: GPG validation failed!
The update downloaded successfully, but it was not signed with a trusted GPG
key.  Instead, it was signed with the following keys:

    24F434CE 

Perhaps you need to import the channel's GPG key?  For example:

    wget https://spamassassin.apache.org/updates/GPG.KEY
    sa-update --import GPG.KEY

channel 'updates.spamassassin.org': GPG validation failed, channel failed
Update failed, exiting with code 4
01-Aug-2023 04:20:27: SpamAssassin: Update available, but download or extract failed


Expected results:
It should be able to import the keys and run the job.


Additional info:
I tried running the import manually as per the suggestion, but it gives the 
same error:
sh-5.1# cd /tmp
sh-5.1# wget https://spamassassin.apache.org/updates/GPG.KEY
--2023-08-01 12:54:20--  https://spamassassin.apache.org/updates/GPG.KEY
Resolving spamassassin.apache.org (spamassassin.apache.org)... 151.101.2.132, 2a04:4e42::644
Connecting to spamassassin.apache.org (spamassassin.apache.org)|151.101.2.132|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4777 (4.7K) [application/pgp-keys]
Saving to: ‘GPG.KEY’

GPG.KEY             100%[===================>]   4.67K  --.-KB/s    in 0s      

2023-08-01 12:54:20 (16.2 MB/s) - ‘GPG.KEY’ saved [4777/4777]

sh-5.1# sa-update --import /tmp/GPG.KEY
gpg: key 4056A61A5244EC45: new key but contains no user ID - skipped
Comment 1 Andrew Schorr 2023-08-01 18:37:25 UTC 
If I run the underlying gpg2 command that's run by "sa-update --import", I see this:

gpg2 --homedir /etc/mail/spamassassin/sa-update-keys --import /tmp/GPG.KEY 
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: key 4056A61A5244EC45: 3 bad signatures
gpg: key 4056A61A5244EC45: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1

Invoking with --allow-weak-digest-algos seems to allow the import to succeed:

gpg2 --allow-weak-digest-algos --homedir /etc/mail/spamassassin/sa-update-keys --import /tmp/GPG.KEY 
gpg: key 4056A61A5244EC45: public key "updates.spamassassin.org Signing Key <release>" imported
gpg: Total number processed: 1
gpg:               imported: 1

The sa-update.cron script still fails:

/usr/share/spamassassin/sa-update.cron
Terminated
Update available for channel updates.spamassassin.org: -1 -> 1911365
http: (curl) GET https://www.sa-update.pccc.com/1911365.tar.gz, success
http: (curl) GET https://www.sa-update.pccc.com/1911365.tar.gz.sha512, success
http: (curl) GET https://www.sa-update.pccc.com/1911365.tar.gz.asc, success
gpg: process '/usr/bin/gpg2' finished: exit 2
error: GPG validation failed!
The update downloaded successfully, but the GPG signature verification
failed.
channel 'updates.spamassassin.org': GPG validation failed, channel failed
Update failed, exiting with code 4
01-Aug-2023 14:31:33: SpamAssassin

I'm guessing because it calls gpg internally and that also needs --allow-weak-digest-algos

It looks like maybe the problem here is that gnpug2 version 2.3.3-3 disabled SHA-1:

* Thu Mar 30 2023 Jakub Jelen <jjelen> - 2.3.3-3
- Mark SHA-1 digest as weak to follow SHA-1 disablement in RHEL9 (#2070722)
- Fix interaction with SSH by not requiring the MD5 digest (#2073567)
- Fix creation of AEAD packets (#2128058)

How to fix?
Comment 2 Andrew Schorr 2023-08-01 18:43:47 UTC 
So I downgraded to gnupg2-2.3.3-2.el9.x86_64.rpm, and now sa-update.cron works again.
So there's a conflict here.
Comment 3 Andrew Schorr 2023-08-01 19:05:49 UTC 
I guess one option is to patch the /usr/bin/sa-update script to invoke gpg2 with
the --allow-weak-digest-algos option:

--- sa-update.orig      2022-01-17 05:33:16.000000000 -0500
+++ sa-update   2023-08-01 15:00:29.908775065 -0400
@@ -354,6 +354,7 @@ if (defined $opt{'gpgkeyfile'}) {
 
 # At this point, we need to know where GPG is ...
 my $GPGPath;
+my $gpgopts = "--allow-weak-digest-algos";
 if ($GPG_ENABLED || $opt{'import'}) {
   # find GPG in the PATH
   # bug 4958: for *NIX it's "gpg", in Windows it's "gpg.exe"
@@ -916,7 +917,7 @@ foreach my $channel (@channels) {
 
     # TODO: we could also use "--keyserver pgp.mit.edu" or similar,
     # to autodownload missing keys...
-    my $CMD = "$GPGPath $gpghome --verify --batch ".
+    my $CMD = "$GPGPath $gpgopts $gpghome --verify --batch ".
         "--no-tty --status-fd=1 -q --logger-fd=1";
 
     unless (open(CMD, "$CMD $sig_file $content_file|")) {
@@ -1817,7 +1818,7 @@ sub import_gpg_key {
   my $gpghome = interpolate_gpghomedir();
   check_gpghomedir();
 
-  my $CMD = "$GPGPath $gpghome --batch ".
+  my $CMD = "$GPGPath $gpgopts $gpghome --batch ".
       "--no-tty --status-fd=1 -q --logger-fd=1 --import";
 
   unless (open(CMD, "$CMD $keyfile|")) {

I guess that probably fixes it, but I need to wait for another spamassassin update to know for sure.
Comment 4 Martin Osvald 🛹 2023-08-02 04:57:00 UTC 
Thank you very much for reporting this problem!

This is indeed due to gnupg2 dropping SHA1 support in 2.3.3-3, but I can see the maintainer of it soon realized there are still plenty of SHA1 keys in the wild so he reverted this change in gnupg2-2.3.3-4.el9:

https://gitlab.com/redhat/centos-stream/rpms/gnupg2/-/commit/f011a7be8f3c6a5477f54242c924d920fb5876c8
https://gitlab.com/redhat/centos-stream/rpms/gnupg2/-/commit/fac10d0d25c2f70085c4736552150e0eed4ffb6b
https://kojihub.stream.rdu2.redhat.com/koji/buildinfo?buildID=32017

So if you upgrade to that version, that should fix this problem for you.
Comment 5 Martin Osvald 🛹 2023-08-02 05:05:12 UTC 
Given the information above, closing this as a duplicate of bug 2184640.

*** This bug has been marked as a duplicate of bug 2184640 ***
Comment 6 Andrew Schorr 2023-08-02 16:03:41 UTC 
(In reply to Martin Osvald 🛹 from comment #4)
> Thank you very much for reporting this problem!
> 
> This is indeed due to gnupg2 dropping SHA1 support in 2.3.3-3, but I can see
> the maintainer of it soon realized there are still plenty of SHA1 keys in
> the wild so he reverted this change in gnupg2-2.3.3-4.el9:
> 
> https://gitlab.com/redhat/centos-stream/rpms/gnupg2/-/commit/
> f011a7be8f3c6a5477f54242c924d920fb5876c8
> https://gitlab.com/redhat/centos-stream/rpms/gnupg2/-/commit/
> fac10d0d25c2f70085c4736552150e0eed4ffb6b
> https://kojihub.stream.rdu2.redhat.com/koji/buildinfo?buildID=32017
> 
> So if you upgrade to that version, that should fix this problem for you.

Hi, wow, so this is really weird. I don't see that new release of
gnupg2 in CentOS Stream 9. More surprisingly, I no longer see gnupg2-2.3.3-3
in the CentOS stream repository. When I list the gnupg2 packages in the baseos
repo, 2.3.3-3 has magically disappeared:

repoquery --disablerepo='*' --enablerepo=baseos gnupg2
gnupg2-0:2.3.1-3.el9.x86_64
gnupg2-0:2.3.3-1.el9.x86_64
gnupg2-0:2.3.3-2.el9.x86_64

Did they somehow retract gnupg2-2.3.3-3 instead of pushing out 2.3.3-4?
I didn't know that was a concept. How can people properly maintain the O/S
when updates disappear like that? Does dnf somehow know to downgrade?

Regards,
Andy
Comment 7 Martin Osvald 🛹 2023-08-02 16:27:29 UTC 
(In reply to Andrew Schorr from comment #6)
...
> > So if you upgrade to that version, that should fix this problem for you.
> 
> Hi, wow, so this is really weird. I don't see that new release of
> gnupg2 in CentOS Stream 9.

Ah sorry, yes, it didn't get released yet, but you can download and update it by hand from the:

https://kojihub.stream.centos.org/koji/buildinfo?buildID=32017

~~~
# dnf update https://kojihub.stream.centos.org/kojifiles/packages/gnupg2/2.3.3/4.el9/x86_64/gnupg2-2.3.3-4.el9.x86_64.rpm
~~~

> ... More surprisingly, I no longer see gnupg2-2.3.3-3
> in the CentOS stream repository. When I list the gnupg2 packages in the
> baseos
> repo, 2.3.3-3 has magically disappeared:
> 
> repoquery --disablerepo='*' --enablerepo=baseos gnupg2
> gnupg2-0:2.3.1-3.el9.x86_64
> gnupg2-0:2.3.3-1.el9.x86_64
> gnupg2-0:2.3.3-2.el9.x86_64
> 
> Did they somehow retract gnupg2-2.3.3-3 instead of pushing out 2.3.3-4?

It looks like they retracted it maybe due to this problem. Not sure about the process and how it is done though. This is more questions for bug 2184640.

> I didn't know that was a concept. How can people properly maintain the O/S
> when updates disappear like that? Does dnf somehow know to downgrade?

Again I am not fully sure about this, but dnf has metadata that can be updated and no longer contain info about this update/version.
Note You need to log in before you can comment on or make changes to this bug.