Opened 6 weeks ago

Closed 5 weeks ago

#2357 closed defect (invalid)

Header V4 RSA/SHA1 Signature, key ID 7bd9bf62: BAD

Reported by: liviuconcioiu@… Owned by: thresh
Priority: minor Milestone:
Component: nginx-core Version:
Keywords: Cc:
uname -a: Linux srv4599 5.14.0-96.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Thu May 19 09:38:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.21.6
built by gcc 8.5.0 20210514 (Red Hat 8.5.0-4) (GCC)
built with OpenSSL 1.1.1k FIPS 25 Mar 2021
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

Description

nginx-1.22.0-1.el9.ngx.x86_64.rpm cannot be installed on CentOS 9 Stream.

[root@srv4599 ~]# yum update -y
Last metadata expiration check: 0:44:00 ago on Thu 26 May 2022 11:29:09 AM BST.
Dependencies resolved.
=============================================================================================================================================================================================================================================================================================================================
 Package                                                                 Architecture                                                             Version                                                                               Repository                                                                      Size
=============================================================================================================================================================================================================================================================================================================================
Upgrading:
 nginx                                                                   x86_64                                                                   1:1.22.0-1.el9.ngx                                                                    nginx-stable                                                                   861 k

Transaction Summary
=============================================================================================================================================================================================================================================================================================================================
Upgrade  1 Package

Total download size: 861 k
Downloading Packages:
nginx-1.22.0-1.el9.ngx.x86_64.rpm                                                                                                                                                                                                                                                            4.4 MB/s | 861 kB     00:00
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                                                                                                                        4.3 MB/s | 861 kB     00:00
Running transaction check
error: rpmdbNextIterator: skipping h#     483
Header V4 RSA/SHA1 Signature, key ID 7bd9bf62: BAD
Header SHA256 digest: OK
Header SHA1 digest: OK
error: rpmdbNextIterator: skipping h#     483
Header V4 RSA/SHA1 Signature, key ID 7bd9bf62: BAD
Header SHA256 digest: OK
Header SHA1 digest: OK
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'yum clean packages'.
Error: An rpm exception occurred: package not installed

[root@srv4599 ~]# cat /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=https://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
[nginx-mainline]
name=nginx mainline repo
baseurl=https://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

Change History (3)

comment:1 by thresh, 6 weeks ago

Owner: set to thresh
Status: newassigned

Hello!

I wonder if that error comes from the older rpm package you have installed (because indeed for RHEL8 package that you have installed we were using SHA1)? Would it be possible to check on a fresh machine?

Since that's what I see:

[root@ip-10-1-18-132 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 9.0 (Plow)
[root@ip-10-1-18-132 ~]# update-crypto-policies --show
DEFAULT
[root@ip-10-1-18-132 ~]# wget -q https://nginx.org/packages/mainline/centos/9/x86_64/RPMS/nginx-1.21.6-1.el9.ngx.x86_64.rpm
[root@ip-10-1-18-132 ~]# rpm -qi nginx-1.21.6-1.el9.ngx.x86_64.rpm
Name        : nginx
Epoch       : 1
Version     : 1.21.6
Release     : 1.el9.ngx
Architecture: x86_64
Install Date: (not installed)
Group       : System Environment/Daemons
Size        : 3072354
License     : 2-clause BSD-like license
Signature   : RSA/SHA256, Fri 20 May 2022 10:12:24 AM UTC, Key ID abf5bd827bd9bf62
Source RPM  : nginx-1.21.6-1.el9.ngx.src.rpm
Build Date  : Fri 20 May 2022 09:12:27 AM UTC
Build Host  : ip-10-1-17-18.eu-central-1.compute.internal
Vendor      : NGINX Packaging <nginx-packaging@f5.com>
URL         : https://nginx.org/
Summary     : High performance web server
Description :
nginx [engine x] is an HTTP and reverse proxy server, as well as
a mail proxy server.
[root@ip-10-1-18-132 ~]# rpm -ivh ./nginx-1.21.6-1.el9.ngx.x86_64.rpm
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:nginx-1:1.21.6-1.el9.ngx         ################################# [100%]
----------------------------------------------------------------------

Thanks for using nginx!

Please find the official documentation for nginx here:
* https://nginx.org/en/docs/

Please subscribe to nginx-announce mailing list to get
the most important news about nginx:
* https://nginx.org/en/support.html

Commercial subscriptions for nginx are available on:
* https://nginx.com/products/

----------------------------------------------------------------------
[root@ip-10-1-18-132 ~]#

There are also no errors when installing via yum.

comment:2 by liviuconcioiu@…, 5 weeks ago

Hi,

I have checked on a new machine, and indeed there is no error.

The error comes from the older rpm package.

Thank you!

comment:3 by thresh, 5 weeks ago

Resolution: invalid
Status: assignedclosed

Thanks for confirming!

Just to reiterate for future encounters: packages built for RHEL 8 when installed on RHEL 9 will fail on update to newer RHEL-9 packages.

Note: See TracTickets for help on using tickets.