amazon-ssm-agent using RPM SHA1 signature in RHEL8

aws / amazon-ssm-agent

An agent to enable remote management of your EC2 instances, on-premises servers, or virtual machines (VMs).

https://aws.amazon.com/systems-manager/

Apache License 2.0

1.06k stars 326 forks source link

amazon-ssm-agent using RPM SHA1 signature in RHEL8 #529

Closed chenwany closed 1 year ago

chenwany commented 1 year ago

Hello We were contacted by a customer saying that amazon-ssm-agent uses RPM SHA1 signatures in RHEL8. https://github.com/aws/aws-parallelcluster/issues/5420 Sha1-signing is deprecated in RHEL9: https://www.redhat.com/en/blog/rhel-security-sha-1-package-signatures-distrusted-rhel-9. Does amazon-ssm-agent have any future plan to transition to a more secure signing algorithm such as SHA-256?

Thanks

sluggard76 commented 1 year ago

chenwany,

We are aware of the issue with signing algorithms and keys. We are working to change to better signing algorithm and longer key length. Right now the rough estimation is October but I'll provide better ECD later.