Server Version#:
Player Version#:
I can update plex with yum but I have to use the --nogpgcheck flag. The key fails to import because it is signed with SHA1 which is deprecated.
2 Likes
Which redhat distro do you have ?
I am a bit concerned because the Plex key is already GPG and not SHA1
If changes are needed in the package, I will gladly make them if you know the specifics (or can point me) to the changes needed.
Sorry was on vacation.
CentOS Stream release 9
Linux 5.14.0-124.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Jul 4 11:45:20 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
I am not familiar with rpm package keys, but the error message I get sounds like the GPG key itself is signed using SHA1. So, there must a signature that verifies the integrity of the GPG key.
App-armor is what secures the GPG key
It seems Centos 9 is also in need of the same update I just did for Ubuntu/Debian.
I will start on it today and , with luck, have something for us to test quickly (it’s not difficult to fix) if any changes are needed.
EDIT: I see some references to some problems with CentOS 9 and repo keys. I have investigating to complete before making any changes.
Can you show me the error messages you see?
I have created a new CentOS 9 VM.
I’ve not encountered any difficulties so far.
Regardless, I have worked out the necessary changes to de-armor the GPG key as it’s imported and deposited in /etc/pki/rpm-gpg
root@centos9 rpm-gpg]# ls -la
total 20
drwxr-xr-x. 2 root root 182 Jul 25 14:34 .
drwxr-xr-x. 10 root root 123 Jul 25 10:33 ..
-rw-r--r--. 1 root root 2183 Jul 25 14:34 plexmediaserver.gpg
-rw-r--r--. 1 root root 1683 Mar 2 13:30 RPM-GPG-KEY-centosofficial
-rw-r--r--. 1 root root 2182 Mar 2 13:30 RPM-GPG-KEY-CentOS-SIG-Extras
-rw-r--r--. 1 root root 2182 Mar 2 13:30 RPM-GPG-KEY-CentOS-SIG-Extras-SHA512
-rw-r--r--. 1 root root 1855 Jun 14 12:08 RPM-GPG-KEY-redhat-release
[root@centos9 rpm-gpg]#
I don’t get auto key import during update until a new plex is released.
But here is the message I get when I try a manual key import:
rpmkeys -v --import https://downloads.plex.tv/plex-keys/PlexSign.key
warning: Signature not supported. Hash algorithm SHA1 not available.
error: https://downloads.plex.tv/plex-keys/PlexSign.key: key 1 import failed.
Here is the error message posted by another user on CentOS forums.
Also this article from RedHat on signing rpm with SHA256.
Enhancing RHEL Security: Understanding SHA-1 deprecation on RHEL 9 (redhat.com)
Thanks for working on this. I really like using the yum/dnf for keeping Plex up-to-date!
Thank you for the input on this.
I discussed with QA earlier this evening.
Our next step is to talk with the build team.
I’ve opened an internal request / report for upgrading to a signing mechanism which works for all supported RPM platforms.
I have a bit of code which I am preparing.
If you’re willing to verify my findings, I’d appreciate it.
- Download the GPG key and install it in preparation for use.
wget -q -O - https://downloads.plex.tv/plex-keys/PlexSign.key | gpg --yes --dearmor -o /etc/pkg/rpm-gpg/plexmediaserver.gpg
- The next step will be preset when the package installs.
[chuck@centos9 ~]$ cat /etc/yum.repos.d/plex.repo
[PlexRepo]
name=PlexRepo
baseurl=https://downloads.plex.tv/repo/rpm/$basearch/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/plexmediaserver.gpg
gpgcheck=1
[chuck@centos9 ~]$
Will this be sufficient?
All of this might/will likely change based on what the build team & Engineering finalize but would like to know if I’m on the right path from your perspective
I performed the steps above. Will know when next update drops.
Thanks.
That workaround didn’t work:
yum tries to import the key and fails.
Thank you for letting me know.
I need to figure out how it works.
If you know of any developer documentation , I would be most appreciative
The key is signed using digest algorithm 2 (aka SHA1):
$ gpg --list-packets PlexSign.key
[...]
# off=539 ctb=89 tag=2 hlen=3 plen=567
:signature packet: algo 1, keyid 97203C7B3ADCA79D
version 4, created 1427058047, md5len 0, sigclass 0x13
digest algo 2, begin of digest 90 2f
^^^^^^^^^^^^^
[...]
The key itself can be updated with new signatures using gpg --edit-key --digest-algo SHA512.
One would propably also update preferences in this step, e.g. setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed (or whatever the desired preference is), if it’s not up to date.
Second part is the RPM package itself: see Legacy SHA1 signatures on RPM packages
With proper key preferences and no overrides the signing process should be fine right away. Otherwise the digest algorithm can be configured in the .rpmmacros or the command itself (%__gpg_sign_cmd %{__gpg} gpg [...] --digest-algo sha256 [...])
See e.g. RPM file format changes to support SHA-256 - Fedora Project Wiki
Any update here? I’m having the same issue. I’ve been running updates manually, but it’d sure be nice to have the auto update work again.
I’m interested to know if there are any updates as well. I just set up a new server running AlmaLinux 9 and had the same issue today:
Importing GPG key 0x3ADCA79D:
Userid : "Plex Inc."
Fingerprint: CD66 5CBA 0E2F 88B7 373F 7CB9 9720 3C7B 3ADC A79D
From : https://downloads.plex.tv/plex-keys/PlexSign.key
Is this ok [y/N]: y
Key import failed (code 2). Failing package is: plexmediaserver-1.28.2.6151-914ddd2b3.x86_64
GPG Keys are configured as: https://downloads.plex.tv/plex-keys/PlexSign.key
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'yum clean packages'.
Error: GPG check FAILED
I don’t know if it should work on AlmaLinux or not. It’s never been tested because AlmaLinux is not one of our supported mainstream distributions.
There is no way of knowing, like Mint, how far they deviated from mainstream.
GPG check FAILED is pretty severe in that it’s implying it can’t handle armored GPG keys.
It’s unfortunate it doesn’t elaborate what it didn’t like.
I will caveat that by reminding, it’s only a few months out of initial release.
Bugs are possible
After roughly a month in beta, AlmaLinux released AlmaLinux 9 GA (codenamed Emerald Puma) on May 26, 2022.Jun 22, 2022
Being “Binary compatible” is the easy part. The support tools and why it’s different than Centos/RHEL is where the issues come.
It’s the very same behavior as on CentOS Stream 9 and RHEL 9 and likely the same for AlmaLinux 9, Rocky Linux 9 and other EL9-based distros. It also happens on Fedora 36, depending on the active security policy… You may also configure EL8 to deny legacy signatures.
It’s OK to mention officially (un)supported distributions, but compatibility between the EL9 derivates is no really the point here.
It’s neither a bug nor some incompatibility, but simply an updated security policy that prohibits GPG from from importing keys with SHA-1 signature. If the key cannot be imported, RPM obviously can’t verify the package signature and thus fails.
With gpgcheck=0 in the /etc/yum.repos.d/plex.repo, update command with --nogpgcheck parameter or manual download and setup of the RPM without signature checking, Plex installs and runs fine.
Thank you… That’s very informative.
I had tested this with a stock Fedora installation.
Is that perhaps where I err’d ?
How do you suggest I proceed?
Writing nogpgcheck defeats the purpose, doesn’t it?
I need to speak to Engineering about upgrading the SHA-1 if this is the new way of doing things.
@ChuckPa I definitely understand that AlmaLinux is not an officially supported distro, and I certainly don’t expect support for every flavor of linux under the sun. AlmaLinux is one of the more prominent distros that sprang up in the wake of Red Hat’s decision to cut support for CentOS 8 short and switch all future CentOS releases to Steam releases (beginning with CentOS 9 Stream), thus making CentOS a permanent beta OS. So there are now a few contenders vying for the “CentOS replacement” crown, including distros like AlmaLinux, Rocky Linux, and Oracle Linux. I tried CentOS 9 Stream for a little bit, started having compatibility problems with some software, and moved on. [end soapbox]
As @stkl notes, AlmaLinux and the other distros noted above are Fedora/EL9 derivatives, and I suspect we would see the same problem in CentOS 9 Stream/RHEL 9 (I believe the original poster was using CentOS 9 Stream). I can confirm that if I use --nogpgcheck at the command line, or set gpgcheck=0 in my plex.repo file, everything works just fine…but of course this is not the desired solution, as this directs the package manager to skip the process of checking the authenticity of the downloaded package.
Per the conversations above, the culprit seems to be the new default security policy in all EL9 distros (as well as all versions of Fedora moving forward). So I would expect that more and more folks will start having this issue over time. I assume the preferred solution would be to have your Engineering team upgrade the key using a supported algorithm – I assume SHA-256 would work, but there are others that might be more future-proof as well. Using this new key to sign future packages in the Plex repo should do the trick. @stkl 's post from 8/7 appears to have all the relevant info needed and I’m guessing they can speak to the technical side of this much better than I can 
1 Like
