AlmaLinux 8 to 9 migration cleanup help

Hi there,

After migrated from AL8 to AL9, I still have some remaninig old packages when I run the following command:

[user@server ~]# rpm -qa | grep el8
warning: Signature not supported. Hash algorithm SHA1 not available.
elevate-release-1.0-2.el8.noarch
fipscheck-1.5.0-4.el8.x86_64
leapp-0.14.0-1.el8_6.noarch
iwl3945-firmware-15.32.2.9-120.el8_9.1.noarch
kernel-4.18.0-513.18.2.el8_9.x86_64
kernel-modules-4.18.0-513.24.1.el8_9.x86_64
kernel-4.18.0-513.24.1.el8_9.x86_64
python3-leapp-0.14.0-1.el8_6.noarch
leapp-upgrade-el8toel9-0.16.0-6.el8_6.elevate.19.noarch
kernel-core-4.18.0-513.18.2.el8_9.x86_64
kernel-modules-4.18.0-513.18.2.el8_9.x86_64
libvarlink-18-3.el8.x86_64
fipscheck-lib-1.5.0-4.el8.x86_64
libertas-usb8388-firmware-20230824-120.git0e048b06.el8_9.noarch
iwl4965-firmware-228.61.2.24-120.el8_9.1.noarch
kernel-core-4.18.0-513.24.1.el8_9.x86_64
python36-3.6.8-38.module_el8.9.0+3700+efebe9fd.x86_64
leapp-data-almalinux-0.2-5.el8.noarch
iwl6000-firmware-9.221.4.1-120.el8_9.1.noarch

How can I clean that up and how can I get rid of the SHA1 warning?
For SHA1, I tried update-crypto-policies --set DEFAULT command but it didn’t change anything.

This is one my test VMs, I can roll back any time to AL8 and do other tests. Also important note: this system, including a few others were migrated from CentOS 8 to AL8.

Idea here is to have the cleanest state as possible after migration.
Thanks in advance for your help!

PS: overall was the migration pretty smooth for now

I can’t say I’ve ever seen that warning before, but I’d be inclined to do a like, rpm -qa | xargs -n1 rpm -q to see if I can get rpm to issue the warning more specifically about a particular RPM. Or figure out what --qf you have to give it to show you algorithms per package.

Or how about rpm -qia | grep -e ^Name -e ^Signature | grep -B1 SHA1 ?

I would start with a sudo dnf distro-sync so that you can replace el8 packages with the el9 ones.

Hi there,

I have tried on my test system, except the warning itself, it didn’t show any extra info.
But I also seen that on a system that was a “fresh” AL8, the SHA1 warning didn’t show up so I guess this is legacy stuff that I brought along when migrating from CentOS.

Everything looks OK when I launch this command, but I think the upgrade process is doing the same, it updates everything that is in new repositories.

Now question for you both (or anybody else!), I’ve tried a few things that I’d like you validate:

AL8 package cleanup
I used the following commands (because those packages were not relevant to any app):
*um remove el8
dnf autoremove
rpm -e --nodeps for all remainings one (I had 3 left)

This removed every legacy stuff.

GPG warning
I used these 2 commands to find and delete GPG keys
rpm -q gpg-pubkey --qf ‘%{name}-%{version}-%{release} → %{summary}\n’
rpm -e gpg-pubkey-id for each key from the above command.

The only problem is: I don’t have enough knowledge to be 100% sure I’m not breaking anything with these 2 methods. But I didn’t had any error by trying to reach repositories or anything, everything was apparently working fine.

What do you think?

The SHA-1 is disabled in the DEFAULT. See Chapter 3. Using system-wide cryptographic policies Red Hat Enterprise Linux 9 | Red Hat Customer Portal

There is a subpolicy to enable SHA-1, while rest of policy stays as in DEFAULT:

update-crypto-policies --set DEFAULT:SHA1

Huh, well, so I’d still be curious to know then if rpm’s issuing of that warning can be isolated to any particular rpm -q packagename.

I think the hazard of doing that rpm -e --nodeps depends on what those packages were and what was depending on them or otherwise preventing them from being uninstalled normally.

The keys I don’t think are a problem, because I’d expect if I’d removed one I do use that I’d just be prompted to install it again next time I try to install a package signed with it.