[root@foo:production:~]$ head -2 /etc/os-release
NAME="AlmaLinux"
VERSION="9.0 (Emerald Puma)"
[root@foo:production:~]$ update-crypto-policies --show
DEFAULT
[root@foo:production:~]$ gpg tenable-2048.gpg
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa2048 2013-03-21 [SC] [expires: 2022-12-05]
23A24C7088C62258AFEAC377C3E60E421C0C4A5D
uid Tenable Network Security, Inc. <releases@tenable.com>
sub rsa2048 2013-03-21 [E] [expires: 2022-12-05]
[root@foo:production:~]$ rpmkeys --verbose --import tenable-2048.gpg
error: tenable-2048.gpg: key 1 import failed.
[root@foo:production:~]$
Sadly --verbose doesn’t result in any more output than not using it.
On a hunch, I tried changing the crypto policy to LEGACY, and then the key does import. But that’s not a satisfactory solution so I’m going to raise this with the vendor.
Can someone explain what specifically about this key means it can’t be imported with the policy set to DEFAULT? And is this documented somewhere? (I’ve looked at RHEL 9 documentation about crypto policies but either didn’t see or didn’t recognise an explanation.) Similarly I unwittingly tried to import the AlmaLinux 8 key and that didn’t import but I don’t know why Can't import https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux - #3 by mikew
A method of telling it’s a SHA1 key, which I’ve just worked out from Google searches, is that “digest algo 2” will appear in the output of
$ gpg --list-packets keyfile
[root@foo:production:~]$ gpg --list-packets tenable-2048.gpg | grep -i "digest algo 2"
digest algo 2, begin of digest 28 63
digest algo 2, begin of digest 81 4f
[root@foo:production:~]$
and if you look at RFC 4880 - OpenPGP Message Format it says that algoritum number 2 is SHA1. Which seems like a very obscure and cumbersome way of finding out. Did you do that or did you do something more straight forward?
SHA-1 is allowed to be used as TLS hash, signature, and algorithm. CBC-mode ciphers are allowed to be used with SSH. Applications using GnuTLS allow certificates signed with SHA-1.
FWIW Tenable’s response to my pointing out that the key they use to sign the packages can’t be used on AlmaLinux 9 or RHEL 9 without lowering the system security level is that they don’t support AlmaLinux or RHEL 9.