RHEL 9

Hello, Bergman!

Could you please tell me what the version of the zabbix-release package is on that system?

It seems that the system may still be using the previous signing key, which did indeed use a SHA-1 signature. See if you can update the zabbix-release package to import the new key and try installing the agent package then.

Hi,

our internal repository offers the following zabbix-release package for installation:

Name         : zabbix-release
Version      : 6.2
Release      : 3.el9
Architecture : noarch
Size         : 17 k
Source       : zabbix-release-6.2-3.el9.src.rpm
Repository   : <Repository name removed>
Summary      : Zabbix repository configuration
URL          : https://www.zabbix.com
License      : GPL
Description  : This package contains the Zabbix official repository
             : GPG key as well as configuration for yum.

It seems that the same version of the package is available in Zabbix public repository for RHEL 9 (so our repository is up to date).

Installing zabbix-release package fails with the same SHA1 error:

Zabbix 6.2 RHEL 9 x86_64                                                                                                                     
Importing GPG key 0xA14FE591:
 Userid     : "Zabbix LLC <[email protected]>"
 Fingerprint: A184 8F53 52D0 22B9 471D 83D0 082A B56B A14F E591
 From       : <URL removed>
Is this ok [y/N]: y
warning: Signature not supported. Hash algorithm SHA1 not available.
Key import failed (code 2). Failing package is: zabbix-release-6.2-3.el9.noarch
 GPG Keys are configured as: <URL removed>
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

Hey, Bergman!

This doesn't appear right. The key that is being imported was retired in July in favour of D9AA 84C2 B617 479C 6E4F CF4D 19F2 4753 08EF A7DD because of the reason you mentioned (crypto policies dropping the use of SHA-1). (Unfortunately, this key is currently not published to repo.zabbix.com along with the previous ones, and is currently only available via the zabbix-release package).

Could you try and interrogate the package via rpm (on the installed or downloaded package from your internal mirror), and post back results?
See the information about the package:

$ rpm -qi zabbix-release

See the file listing of the package:

$ rpm -ql zabbix-release

The repository registry contents of the package:

$ cat /etc/yum.repos.d/zabbix.repo

Also, please verify that all the listed files are actually present.

Hello !

I'd like to add a +1 to this issue.  I'd like to propose using zabbix across some of my infrastructure but discovered this issue on Rocky 9 Linux.   In theory it should not be a problem to add a properly functioning key; do we have a rough ETA on when this might be accomplished?

Hey, pdubois!

Good news, the key was just published and is now available at https://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-08EFA7DD!

@Juris Lambda - Thank you for that quick reply.

I'm glad to hear the key has now been published.   My package manager is insisting the packages are still signed with the previous and now invalid key but this appears to be a thing with my config engine.  

Much appreciated.  I'll test this out later today !

EDIT : It works!   Very appreciated. thanks.

Hi,@Juris Lambda

I imported the new GPG key to our local repository and I can confirm that now I'm able to install zabbix-agent2 package on RHEL9 system.

During the package installation GPG key was added as expected:

Importing GPG key 0x08EFA7DD:
 Userid     : "Zabbix LLC (Jul 2022) <[email protected]>"
 Fingerprint: D9AA 84C2 B617 479C 6E4F CF4D 19F2 4753 08EF A7DD
 From       : <URL removed>
Is this ok [y/N]: y
Key imported successfully{}

Rest of the package installation process went also as expected:

Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                 1/1
  Running scriptlet: zabbix-agent2-6.2.4-release1.el9.x86_64                         1/1
  Installing       : zabbix-agent2-6.2.4-release1.el9.x86_64                         1/1
  Running scriptlet: zabbix-agent2-6.2.4-release1.el9.x86_64                         1/1
  Verifying        : zabbix-agent2-6.2.4-release1.el9.x86_64                         1/1
Installed products updated.Installed:
  zabbix-agent2-6.2.4-release1.el9.x86_64

Complete!

Hello @all,

thanks for the key.

Is it wrong to expect the generic key RPM-GPG-KEY-ZABBIX will be a link to the newest key RPM-GPG-KEY-ZABBIX-08EFA7DD?

Hey, [email protected]!

This seems to be an oversight of ours and should have been the case already. I will make sure to have that key updated.

Added http://repo.zabbix.com/zabbix/4.0/rhel/9/x86_64/zabbix-release-4.0-3.el9.noarch.rpm package, shipping correct key for el9

Regarding keys presented on http://repo.zabbix.com/ root page. We should create a documentation page listing different distributions and having links to correct key files for each one. Though typically users don't need to touch these directly, since keys are shipped with zabbix-release packages, in case they do want to install these directly, for some reason, it is very confusing to pick the right key.