elastic gpgkey unusable on modern redhat/fedora derivitives

[drawks]

Elasticsearch Version

Installed Plugins

No response

Java Version

bundled

OS Version

Linux localhost.localdomain 5.14.0-70.13.1.el9_0.x86_64 #1 SMP PREEMPT Tue May 17 15:53:11 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux

Problem Description

Similar to the issue in #58257 modern (version 8+) redhat derivatives reject the elastic gpg key which is used to verify rpm packages from the elastic yum/dnf repositories. Attempts to use the instructions provided fail at the step where the gpg key is imported into the system keychain:

[vagrant@localhost ~]$ sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
error: https://artifacts.elastic.co/GPG-KEY-elasticsearch: key 1 import failed.

On a hunch I tried enabling SHA-1 support per the redhat guidance:

[root@localhost ~]# update-crypto-policies --set DEFAULT:SHA1
Setting system policy to DEFAULT:SHA1
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
[root@localhost ~]# rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

and the key was imported without any complaints.

similarly with the default cryptographic profile set packages from the elastic repository will not install:

[root@localhost ~]# update-crypto-policies --set DEFAULT
Setting system policy to DEFAULT
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
[root@localhost ~]# yum install filebeat
Elasticsearch repository for 8.x packages                                                         6.9 MB/s |  12 MB     00:01
Last metadata expiration check: 0:00:04 ago on Wed Jul  6 18:51:02 2022.
Dependencies resolved.
==================================================================================================================================
 Package                       Architecture                Version                       Repository                          Size
==================================================================================================================================
Installing:
 filebeat                      x86_64                      8.3.1-1                       elasticsearch                       57 M

Transaction Summary
==================================================================================================================================
Install  1 Package

Total download size: 57 M
Installed size: 243 M
Is this ok [y/N]: y
Downloading Packages:
filebeat-8.3.1-x86_64.rpm                                                                         7.4 MB/s |  57 MB     00:07
----------------------------------------------------------------------------------------------------------------------------------
Total                                                                                             7.4 MB/s |  57 MB     00:07
Elasticsearch repository for 8.x packages                                                          16 kB/s | 1.7 kB     00:00
GPG key at https://artifacts.elastic.co/GPG-KEY-elasticsearch (0xD88E42B4) is already installed
The GPG keys listed for the "Elasticsearch repository for 8.x packages" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: filebeat-8.3.1-1.x86_64
 GPG Keys are configured as: https://artifacts.elastic.co/GPG-KEY-elasticsearch
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'yum clean packages'.
Error: GPG check FAILED

Again, enabling SHA-1 allows for the packages to install.

[root@localhost ~]# update-crypto-policies --set DEFAULT:SHA1
Setting system policy to DEFAULT:SHA1
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
[root@localhost ~]# yum install filebeat
Last metadata expiration check: 0:00:39 ago on Wed Jul  6 18:51:02 2022.
Dependencies resolved.
==================================================================================================================================
 Package                       Architecture                Version                       Repository                          Size
==================================================================================================================================
Installing:
 filebeat                      x86_64                      8.3.1-1                       elasticsearch                       57 M

Transaction Summary
==================================================================================================================================
Install  1 Package

Total size: 57 M
Installed size: 243 M
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] filebeat-8.3.1-x86_64.rpm: Already downloaded
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                          1/1
  Installing       : filebeat-8.3.1-1.x86_64                                                                                  1/1
  Running scriptlet: filebeat-8.3.1-1.x86_64                                                                                  1/1
  Verifying        : filebeat-8.3.1-1.x86_64                                                                                  1/1

Installed:
  filebeat-8.3.1-1.x86_64

Complete!
[root@localhost ~]# dnf install filebeat
Last metadata expiration check: 0:01:46 ago on Wed Jul  6 18:51:02 2022.
Package filebeat-8.3.1-1.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!

I'm no cryptowonk, but I'm left to believe that the elastic signing key is overdue for replacement with a key which uses modern cryptographic standards

Steps to Reproduce

1. attempt to import the gpgkey into rpm: sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
2. observe failure
3. enable SHA1 sudo update-crypto-policies --set DEFAULT:SHA1
4. retry step 1 and observe success

Logs (if relevant)

Here is the dnf log showing the gpg verification failure

2022-07-06T18:51:16+0000 SUBDEBUG
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/dnf/cli/main.py", line 67, in main
    return _main(base, args, cli_class, option_parser_class)
  File "/usr/lib/python3.9/site-packages/dnf/cli/main.py", line 106, in _main
    return cli_run(cli, base)
  File "/usr/lib/python3.9/site-packages/dnf/cli/main.py", line 130, in cli_run
    ret = resolving(cli, base)
  File "/usr/lib/python3.9/site-packages/dnf/cli/main.py", line 176, in resolving
    base.do_transaction(display=displays)
  File "/usr/lib/python3.9/site-packages/dnf/cli/cli.py", line 238, in do_transaction
    self.gpgsigcheck(install_pkgs)
  File "/usr/lib/python3.9/site-packages/dnf/cli/cli.py", line 305, in gpgsigcheck
    raise dnf.exceptions.Error(_("GPG check FAILED"))
dnf.exceptions.Error: GPG check FAILED
2022-07-06T18:51:16+0000 CRITICAL Error: GPG check FAILED

[drawks]

I think perhaps it might be possible to modify the preferences of the public key and republish with SHA1 removed from the digests.

gpg (GnuPG) 2.3.3; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa2048/D27D666CD88E42B4
     created: 2013-09-16  expires: never       usage: SC
     trust: unknown       validity: unknown
sub  rsa2048/AB6B7FCB60D31954
     created: 2013-09-16  expires: never       usage: E
[ unknown] (1). Elasticsearch (Elasticsearch Signing Key) <dev_ops@elasticsearch.org>

gpg> showpref
[ unknown] (1). Elasticsearch (Elasticsearch Signing Key) <dev_ops@elasticsearch.org>
     Cipher: AES256, AES192, AES, CAST5, 3DES
     AEAD:
     Digest: SHA256, SHA1, SHA384, SHA512, SHA224
     Compression: ZLIB, BZIP2, ZIP, Uncompressed
     Features: MDC, Keyserver no-modify

gpg> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
Need the secret key to do this.

[elasticmachine]

Pinging @elastic/es-delivery (Team:Delivery)

[mark-vieira]

This looks to be a duplicate of #85876. We're investigating updating our GPG key with our release team to resolve this issue.