AlmaLinux 8 to 9 migration cleanup help

Hi there,

After migrated from AL8 to AL9, I still have some remaninig old packages when I run the following command:

[user@server ~]# rpm -qa | grep el8
warning: Signature not supported. Hash algorithm SHA1 not available.

How can I clean that up and how can I get rid of the SHA1 warning?
For SHA1, I tried update-crypto-policies --set DEFAULT command but it didn’t change anything.

This is one my test VMs, I can roll back any time to AL8 and do other tests. Also important note: this system, including a few others were migrated from CentOS 8 to AL8.

Idea here is to have the cleanest state as possible after migration.
Thanks in advance for your help! :slightly_smiling_face:

PS: overall was the migration pretty smooth for now :ok_hand:

I can’t say I’ve ever seen that warning before, but I’d be inclined to do a like, rpm -qa | xargs -n1 rpm -q to see if I can get rpm to issue the warning more specifically about a particular RPM. Or figure out what --qf you have to give it to show you algorithms per package.

Or how about rpm -qia | grep -e ^Name -e ^Signature | grep -B1 SHA1 ?

I would start with a sudo dnf distro-sync so that you can replace el8 packages with the el9 ones.

Hi there,

I have tried on my test system, except the warning itself, it didn’t show any extra info.
But I also seen that on a system that was a “fresh” AL8, the SHA1 warning didn’t show up so I guess this is legacy stuff that I brought along when migrating from CentOS.

Everything looks OK when I launch this command, but I think the upgrade process is doing the same, it updates everything that is in new repositories.

Now question for you both (or anybody else!), I’ve tried a few things that I’d like you validate:

AL8 package cleanup
I used the following commands (because those packages were not relevant to any app):
*um remove el8
dnf autoremove
rpm -e --nodeps for all remainings one (I had 3 left)

This removed every legacy stuff.

GPG warning
I used these 2 commands to find and delete GPG keys
rpm -q gpg-pubkey --qf ‘%{name}-%{version}-%{release} → %{summary}\n’
rpm -e gpg-pubkey-id for each key from the above command.

The only problem is: I don’t have enough knowledge to be 100% sure I’m not breaking anything with these 2 methods. But I didn’t had any error by trying to reach repositories or anything, everything was apparently working fine.

What do you think? :wink:

The SHA-1 is disabled in the DEFAULT. See Chapter 3. Using system-wide cryptographic policies Red Hat Enterprise Linux 9 | Red Hat Customer Portal

There is a subpolicy to enable SHA-1, while rest of policy stays as in DEFAULT:

update-crypto-policies --set DEFAULT:SHA1

Huh, well, so I’d still be curious to know then if rpm’s issuing of that warning can be isolated to any particular rpm -q packagename.

I think the hazard of doing that rpm -e --nodeps depends on what those packages were and what was depending on them or otherwise preventing them from being uninstalled normally.

The keys I don’t think are a problem, because I’d expect if I’d removed one I do use that I’d just be prompted to install it again next time I try to install a package signed with it.