rpm/yum/dnf/subscription-manager show "warning: Signature not supported. Hash algorithm SHA1 not available."
Environment
- Red Hat Enterprise Linux 9
- leapp upgrade from RHEL 8 to 9
Issue
- dnf, yum, rpm, and subscription-manager commands display
warning: Signature not supported. Hash algorithm SHA1 not available.
Resolution
-
Upgrade to RHEL 9.7 or later (crypto-policies version 20250905), in which rpm resumed accepting SHA1 signatures. This avoids problems with third-party packages that still use SHA1.
-
If it's not possible to upgrade to RHEL 9.7, you can remove the gpg-pubkey-* packages responsible for the error, e.g.
# rpm --erase --allmatches gpg-pubkey-d4082792-5b32db75
Root Cause
There exists both a GPG public key signed using the SHA-1 hash algorithm and a RPM signed by that key in the RPM database.
In earlier releases, the Leapp in-place upgrade did not remove the RHEL 8 public key (gpg-pubkey-d4082792-5b32db75) from the system. This key is signed using a SHA-1 hash. The RHEL 8 key is now removed due to the work done in This content is not included.Bugzilla 2151679.
However, other public keys from third-party vendors may still be left on the system.
Please refer to SHA-1 deprecation in Red Hat Enterprise Linux 9 and the other documents linked in it for additional details.
Diagnostic Steps
-
Run the following commands to find the gpg keys in question:
# strace -yyv -s 4096 -e pread64,write -o /tmp/rpm_-qa.strace rpm -q foopgk # grep -F -B4 'Signature not supported.' /tmp/rpm_-qa.strace| fgrep -e gpg-pubkey -e 'BEGIN PGP PUBLIC KEY BLOCK' -
Look for the package name in the
grepoutput. It appears a bit before “BEGIN PGP PUBLIC KEY BLOCK”. For example, in the output below the package name is in the “gpg-pubkey\0d4082792\0005b32db75” sequence.pread64(3</var/lib/rpm/rpmdb.sqlite>, "\0\0\0\0002KRDIPhMs0bnmGB7IAvwlSb+xm6vWKECkO\nlwQDO5Kg8YZ 8+Z3pn/oS688t/fPXvWLZYUqwR63oWfIaPJI7Ahv2jJmgw1ofL81r\n2CE3T/OydtUeGLzqWJAB8sbUgT3ug0cjtxsHuroQBSYBND3XDb/EQh5GeVVnGKKH \ngESLFAoweoNjDSXrlIu1gFjCDHF4CqBRmNYKrNQjLmhCrSfwkytXESJwlLzFKY8P\nK1yZyTpDC9YK0G7qgrk7EHmH9JAZTQ5V65pp0vR9KvqTU5ewkQD IljD2f3FIqo2B\nSKNCQE+N6NjWaTeNlU75m+yZocKObSPg0zS8FAuSJetNtzXA7ouqk34OoIMQj4gq\nUnh/i1FcZAd4U6Dtr9aRZ6PeLlm6MJ/h582L6f JLNEu136UWDtJj5eBYEzX13l+d\nSC4PEHx7ZZRwQKptl9NkinLZGJztg175paUu8C34sAv+SQnM20c0pdOXAq9GKKhi\nvt61kpkXoRGxjTlc6h+69aidS g==\n\0gpg-pubkey\0d4082792\0005b32db75\0gpg(Red Hat, Inc. (auxiliary key) <security@redhat.com>)\0-----BEGIN PGP PUBLI C KEY BLOCK-----\nVersion: rpm-4.14.2 (NSS-3)\n\nmQINBFsy23UBEACUKSphFEIEvNpy68VeW4Dt6qv+mU6am9a2AAl10JANLj1oqWX+\noYk3 en1S6cVe2qehSL5DGVa3HMUZkP3dtbD4SgzXzxPodebPcr4+0QNWigkUisri\nXGL5SCEcOP30zDhZvg+4mpO2jMi7Kc1DLPzBBkgppcX91wa0L1pQzBcvY MPyV/Dh\nKbQHR75WdkP6OA2JXdfC94nxYq+2e0iPqC1hCP3Elh+YnSkOkrawDPmoB1g4+ft/\nxsiVGVy/W0ekXmgvYEHt6si6Y8NwXgnTMqxeSXQ9YUgVIbTp sxHQKGy76T5lMlWX\n4LCOmEVomBJg1SqF6yi9Vu8"..., 4096, 33509376) = 4096 -
Ignore the
\0and\000character sequences, so the package name will be “gpg-pubkey-d4082792-5b32db75”. -
Check what PGP key the package contains, e.g.
# rpm -qi gpg-pubkey-d38b4796-570c8cd3 | head -n 15 warning: Signature not supported. Hash algorithm SHA1 not available. Name : gpg-pubkey Version : d38b4796 Release : 570c8cd3 Architecture: (none) Install Date: Mon 12 Dec 2022 11:24:02 PM -03 Group : Public Keys Size : 0 License : pubkey Signature : (none) Source RPM : (none) Build Date : Tue 12 Apr 2016 02:51:15 AM -03 Build Host : localhost Packager : Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com> Summary : gpg(Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>) Description :
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.