Closed kkeane closed 1 year ago
@kkeane We are aware of the issue with SHA1 signing algorithm and actively working to resign agent package with more secure hash algorithm. Estimated delivery is about then end of Q2, 2023.
A separate note: SSM Agent is not officially supporting RHEL9/Rocky Linux 9/AlmaLinux 9. Please refer to this link for more details: https://docs.aws.amazon.com/systems-manager/latest/userguide/prereqs-operating-systems.html
The agent-ssm-agent* is signed using the insecure and long-deprecated SHA1 algorithm.
RHEL 9/AlmaLinux 9/Rocky 9 removed the SHA1 algorithm for signing packages and refuses to install the RPM even if GPG checking is disabled. Any FIPS-secured system is also affected.
Also see item #235 for some related issues (including the exact error message you get when trying to install the RPM on RHEL 9).
There is a workaround, but it seriously compromises security:
You can re-enable SHA1 by switching the whole system back to cipher-mode LEGACY (not providing the command here since this really, really shouldn't be done!)