Repo key cannot be imported on RHEL-9

[assen-totin]

Elasticsearch Version

any

Installed Plugins

No response

Java Version

any

OS Version

RHEL-9

Problem Description

RHEL-9 disabled the usage of the long-deprecate SHA-1 for signatures.

The ES repo key dates form 2013 (when SHA-1 was already deprecated) and it used SHA-1. This means that the ES repo cannot be added to RHEL-9, unless its security settings are changed, which conflicts with security certification requirements.

You need to generate a new key that will use a modern-day algorithm like SHA-256 and re-sign your packages.

Current key info - look for "digest algo 2", this denotes SHA-1; once you switch to SHA-256, it will say something like "digest algo 8":

[assen.totin@archimed Desktop]$ gpg -vv GPG-KEY-elasticsearch
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: armor: BEGIN PGP PUBLIC KEY BLOCK
gpg: armor header: Version: GnuPG v2.0.14 (GNU/Linux)
# off=0 ctb=99 tag=6 hlen=3 plen=269
:public key packet:
	version 4, algo 1, created 1379344074, expires 0
	pkey[0]: [2048 bits]
	pkey[1]: [17 bits]
	keyid: D27D666CD88E42B4
# off=272 ctb=b4 tag=13 hlen=2 plen=69
:user ID packet: "Elasticsearch (Elasticsearch Signing Key) <dev_ops@elasticsearch.org>"
# off=343 ctb=89 tag=2 hlen=3 plen=312
:signature packet: algo 1, keyid D27D666CD88E42B4
	version 4, created 1379344074, md5len 0, sigclass 0x13
	digest algo 2, begin of digest 73 8c
	hashed subpkt 2 len 4 (sig created 2013-09-16)
	hashed subpkt 27 len 1 (key flags: 03)
	hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
	hashed subpkt 21 len 5 (pref-hash-algos: 8 2 9 10 11)
	hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
	hashed subpkt 30 len 1 (features: 01)
	hashed subpkt 23 len 1 (keyserver preferences: 80)
	subpkt 16 len 8 (issuer key ID D27D666CD88E42B4)
	data: [2048 bits]
# off=658 ctb=b9 tag=14 hlen=3 plen=269
:public sub key packet:
	version 4, algo 1, created 1379344074, expires 0
	pkey[0]: [2048 bits]
	pkey[1]: [17 bits]
	keyid: AB6B7FCB60D31954
# off=930 ctb=89 tag=2 hlen=3 plen=287
:signature packet: algo 1, keyid D27D666CD88E42B4
	version 4, created 1379344074, md5len 0, sigclass 0x18
	digest algo 2, begin of digest 73 73
	hashed subpkt 2 len 4 (sig created 2013-09-16)
	hashed subpkt 27 len 1 (key flags: 0C)
	subpkt 16 len 8 (issuer key ID D27D666CD88E42B4)
	data: [2048 bits]
pub   rsa2048 2013-09-16 [SC]
      46095ACC8548582C1A2699A9D27D666CD88E42B4
uid           Elasticsearch (Elasticsearch Signing Key) <dev_ops@elasticsearch.org>
sig        D27D666CD88E42B4 2013-09-16   [selfsig]
sub   rsa2048 2013-09-16 [E]
sig        D27D666CD88E42B4 2013-09-16   [keybind]

Steps to Reproduce

Try to import the key into a RHEL-9 system. Result is:

Importing GPG key 0xD88E42B4:
 Userid     : "Elasticsearch (Elasticsearch Signing Key) <dev_ops@elasticsearch.org>"
 Fingerprint: 4609 5ACC 8548 582C 1A26 99A9 D27D 666C D88E 42B4
 From       : https://packages.elastic.co/GPG-KEY-elasticsearch
Is this ok [y/N]: y
Key import failed (code 2). Failing package is: elasticsearch-8.3.3-1.x86_64

Logs (if relevant)

No response

[elasticsearchmachine]

Pinging @elastic/es-core-infra (Team:Core/Infra)

[mark-vieira]

Closing as a duplicate of #85876.