RHEL 9 repo packages are signed with SHA-1 which is disabled in RHEL 9

[hakong]

Describe the bug SHA-1 has been disabled by default in RHEL 9 due to insecurity, see: https://www.redhat.com/en/blog/rhel-security-sha-1-package-signatures-distrusted-rhel-9

Thruk Version n/a

To Reproduce Steps to reproduce the behavior:

1. Enable ConSol RHEL 9 stable repo on an RHEL 9 system
2. Attempt to install thruk

Expected behavior Packages should install.

Actual behavior Packages are not installed.

warning: Signature not supported. Hash algorithm SHA1 not available.
Error: GPG check FAILED

Screenshots

Desktop (please complete the following information): n/a

Additional context Add any other context about the problem here.

[sni]

does this look similar in your setup:

%> rpm -Kv libthruk-3.00-0.rhel9.x86_64.rpm 
libthruk-3.00-0.rhel9.x86_64.rpm:
    Header V4 RSA/SHA512 Signature, key ID a57b9ed7: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    MD5 digest: OK

%> sha256sum libthruk-3.00-0.rhel9.x86_64.rpm
bb3686848010ee2a86a9d858db053a658290fe86fe6996e50dddab5944a7cd07  libthruk-3.00-0.rhel9.x86_64.rpm

Looks like there is a sha512 signature.

i don't have any rhel9 available, it works fine on rocky 9 and alma 9. Is this a redhat thing?

[hakong]

Interesting. Just tested on a standalone system using the repo directly and that worked fine. In the original example the repository is mirrored using Foreman/Satellite and a client of that is trying to install thruk, and failing.

I switched over to the OpenSuse Build Service repo and that worked fine using Foreman/Satellite.

Using the repo directly:

ConSol labs repo: works OpenSuse Build Service: works

Using the repo from a Foreman mirror:

ConSol labs repo: fails OpenSuse Build Service works

I'll test this more at work next week.