We have a customer which is preparing to upgrade from RHEL8 to RHEL9 and has received the following warning:
Summary: Digital signatures using SHA-1 hash algorithm are no longer considered secure and are not allowed to be used on RHEL 9 systems by default. This causes issues when using DNF/RPM to handle packages with RSA/SHA1 signatures as the signature cannot be checked with the default cryptographic policy. Any such packages cannot be installed, removed, or replaced unless the signature check is disabled in dnf/rpm or SHA-1 is enabled using non-default crypto-policies. For more information see the following documents:
- Major changes in RHEL 9: https://red.ht/rhel-9-overview-major-changes
- Security Considerations in adopting RHEL 9: https://red.ht/rhel-9-security-considerationsRemediation: [hint] It is recommended that you contact your package vendor and ask them for new new builds signed with supported signatures and install the new packages before the upgrade. If this is not possible you may instead remove the incompatible packages.
In the case of RHEL9 Upgrade, do you have any guidance on how to proceed?
Do you know of any timeline for Flexera to be provided with supported signing other than SHA-1?
Mar 27, 2023 09:49 AM
I'm not aware of any timeline for an update to the agent installer having been announced by Flexera.
You may want to consider creating a Idea in Flexera Ideas related to this to bring it to the attention of the Flexera Product team, and so that the level of interest in it can be assessed.
Mar 27, 2023 07:51 PM