Unable to import a gpg key on AlmaLinux 9

I need to import a GPG key which is currently available at https://www.tenable.com/downloads/api/v1/public/pages/nessus-agents/downloads/7000/download?i_agree_to_tenable_license_agreement=true (yes that’s the best URL I can figure out for it, the sha256sum is 0f407c2df84f925acd9822e26731f3a881b3b94e5931a2ff8bf43b47be59f11e it’s also linked to under “Signing Keys” at the bottom of Download Nessus Agents | Tenable®)

But it won’t import.

[root@foo:production:~]$ head -2 /etc/os-release 
NAME="AlmaLinux"
VERSION="9.0 (Emerald Puma)"
[root@foo:production:~]$ update-crypto-policies --show
DEFAULT
[root@foo:production:~]$ gpg tenable-2048.gpg 
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa2048 2013-03-21 [SC] [expires: 2022-12-05]
      23A24C7088C62258AFEAC377C3E60E421C0C4A5D
uid           Tenable Network Security, Inc. <releases@tenable.com>
sub   rsa2048 2013-03-21 [E] [expires: 2022-12-05]
[root@foo:production:~]$ rpmkeys --verbose --import tenable-2048.gpg 
error: tenable-2048.gpg: key 1 import failed.
[root@foo:production:~]$

Sadly --verbose doesn’t result in any more output than not using it.

On a hunch, I tried changing the crypto policy to LEGACY, and then the key does import. But that’s not a satisfactory solution so I’m going to raise this with the vendor.

Can someone explain what specifically about this key means it can’t be imported with the policy set to DEFAULT? And is this documented somewhere? (I’ve looked at RHEL 9 documentation about crypto policies but either didn’t see or didn’t recognise an explanation.) Similarly I unwittingly tried to import the AlmaLinux 8 key and that didn’t import but I don’t know why Can't import https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux - #3 by mikew

its been signed with a SHA1 key

Thanks!

A method of telling it’s a SHA1 key, which I’ve just worked out from Google searches, is that “digest algo 2” will appear in the output of

$ gpg --list-packets keyfile

[root@foo:production:~]$  gpg --list-packets tenable-2048.gpg  | grep -i "digest algo 2"
	digest algo 2, begin of digest 28 63
	digest algo 2, begin of digest 81 4f
[root@foo:production:~]$

and if you look at RFC 4880 - OpenPGP Message Format it says that algoritum number 2 is SHA1. Which seems like a very obscure and cumbersome way of finding out. Did you do that or did you do something more straight forward?

Information about crypto polices in RHEL 9 specifically https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening

From the description of LEGACY

SHA-1 is allowed to be used as TLS hash, signature, and algorithm. CBC-mode ciphers are allowed to be used with SSH. Applications using GnuTLS allow certificates signed with SHA-1.

FWIW Tenable’s response to my pointing out that the key they use to sign the packages can’t be used on AlmaLinux 9 or RHEL 9 without lowering the system security level is that they don’t support AlmaLinux or RHEL 9.

yeah that’s basically how to check - oddly enough i somehow remember the hash type numbers (at least the bad ones!)

that response from tenable is pretty typical of their tech support these days unfortunately, i usually escalate it via a support ticket.

SHA-1 is not in DEFAULT but you can enable it without going to LEGACY (3.8 in RHEL doc that @mikew did point to):

update-crypto-policies --set DEFAULT:SHA1

Although, LEGACY merely adds SHA-1 and CBC, so DEFAULT:SHA1 is almost the same.