Duo RPM repository broken for EL9 distributions

Hello,

I was testing Duo AlmaLinux9 (RHEL 9 derivative) and found an issue with the Duo RPM registry. After getting some help from AlmaLinux community, I found out that that AlmaLinux9 (and presumably other RHEL9 derivatives) have disabled SHA1 signatures by default, which Duo uses.

I’m going a bit off the road with this one because there’s not an official Duo build for EL9 yet (hope there is). I’m actually using the EL8 builds for an EL9 distro.

The issue presents like this:

root@localhost# rpm --import https://duo.com/DUO-GPG-PUBLIC-KEY.asc
error: https://duo.com/DUO-GPG-PUBLIC-KEY.asc: key 1 import failed.

The work-around is pretty straight forward:

root@localhost# update-crypto-policies --set DEFAULT:SHA1

To return the system to a normal state:

root@localhost# update-crypto-policies --set DEFAULT

Additionally, you need to install compat-openssl11 so pam_duo.so will work

root@localhost# dnf install -y compat-openssl11 duo_unix

The true fix is to update the repository signature keys to use SHA256 instead of SHA1, as well as producing a build for EL9 systems. Unfortunately that means rolling the keys. If Duo/Cisco has plans to do so, I’d like to know since this is a disruptive thing.

In the meantime, I hope this helps others.

References:

Thanks for letting us know about this. We will roll the key tomorrow to SHA512 with the next Duo Unix release.

Heads-up: GPG key for Duo Unix will be updated June 2, 2022

Editing response to mention 1.12.1 release is out with CentOS Stream 9, RHEL 9, and Fedora 34 packages.

1 Like

Thanks, you managed to solve two of my problems in one shot. The move to SHA256 and official RHEL9 support (which means Alma9 is supported)

1 Like

Thanks for your post! It helped us address the signature issue before the release.

2 Likes