This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SHA-1 algorithm no longer considered secure for RHEL9

SmaraMurgilasi
By
Level 2

Hello, 

We have a customer which is preparing to upgrade from RHEL8 to RHEL9 and has received the following warning:

Summary: Digital signatures using SHA-1 hash algorithm are no longer considered secure and are not allowed to be used on RHEL 9 systems by default. This causes issues when using DNF/RPM to handle packages with RSA/SHA1 signatures as the signature cannot be checked with the default cryptographic policy. Any such packages cannot be installed, removed, or replaced unless the signature check is disabled in dnf/rpm or SHA-1 is enabled using non-default crypto-policies. For more information see the following documents:

  - Major changes in RHEL 9: https://red.ht/rhel-9-overview-major-changes

  - Security Considerations in adopting RHEL 9: https://red.ht/rhel-9-security-considerationsRemediation: [hint] It is recommended that you contact your package vendor and ask them for new new builds signed with supported signatures and install the new packages before the upgrade. If this is not possible you may instead remove the incompatible packages.

In the case of RHEL9 Upgrade, do you have any guidance on how to proceed? 

Do you know of any timeline for Flexera to be provided with supported signing other than SHA-1?

Thanks you!

‎Mar 27, 2023 09:49 AM

(7) Replies

ChrisG
By Community Manager Community Manager
Community Manager

I'm not aware of any timeline for an update to the agent installer having been announced by Flexera.

You may want to consider creating a Idea in Flexera Ideas related to this to bring it to the attention of the Flexera Product team, and so that the level of interest in it can be assessed.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

‎Mar 27, 2023 07:51 PM

weskus
By
Level 5

FNMS agent is no longer supported in RHEL 9?

‎Aug 15, 2024 03:30 AM

0 Kudos

ChrisG
By Community Manager Community Manager
Community Manager
In response to weskus

Current FlexNet inventory agent versions support RHEL 9. You can find full details of operating systems supported by the 2024 R1 agent release here: https://docs.flexera.com/FlexNetManagerSuite2024R1/EN/SysReq/index.html#FNMS_sys_req/RN_sys_req_prereq.html

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

‎Aug 15, 2024 03:41 AM

0 Kudos

weskus
By
Level 5
In response to ChrisG

Not, due this unsecure SHA-1 packaging by Flexera. We have hit the same issue and SHA-1 signature check bypassing is not an option since its been completely cracked and hosting vendor and security organizations totally prevents it usage. 

‎Aug 15, 2024 04:56 AM

0 Kudos

mag00_75
By Level 8 Champion
Level 8 Champion

@weskus  I saw in 2024R1 agent that there should be SHA-2 support and a new PGP key. Which agent version are you running?

‎Aug 16, 2024 11:34 AM

weskus
By
Level 5
In response to mag00_75

Thanks, good to know. We are on 2023R2. 

‎Aug 19, 2024 01:48 AM

0 Kudos

mag00_75
By Level 8 Champion
Level 8 Champion
In response to weskus
Usually its possible running newer version of the agent connecting to a lower version of application.

However the next upgrade to 2024r2 will introduce new functionality which in certain cases require a newer beacon version. This is mentioned in the flexeraone/itam release notes

‎Aug 19, 2024 03:08 AM

0 Kudos
Top Kudoed Authors
View all