Cannot import Skype repo GPG key on EL9

Question

Cannot import Skype repo GPG key on EL9

Orion Poplawski 1

The RPM GPG key used to sign packages in the Skype Linux repository needs to be updated. It cannot be imported on an EL9 system:

# curl -o /etc/pki/rpm-gpg/SKYPE-GPG-KEY https://repo.skype.com/data/SKYPE-GPG-KEY 
 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current 
                                Dload  Upload   Total   Spent    Left  Speed 
100  1787  100  1787    0     0   5366      0 --:--:-- --:--:-- --:--:--  5350

# rpm --import /etc/pki/rpm-gpg/SKYPE-GPG-KEY 
warning: Signature not supported. Hash algorithm SHA1 not available. 
error: /etc/pki/rpm-gpg/SKYPE-GPG-KEY: key 1 import failed.

JimmyYang-MSFT 58,641 Reputation points Microsoft External Staff

2023-01-13T08:13:12.9666667+00:00

Hi @Orion Poplawski

Skyoe for Business linux tag is mainly focused on the general issue of Microsoft Teams for Linux troubleshooting. According to your description, your question is related to Skype in Linux, which is not in our support scope. So I will remove the tag from your thread. Thanks for your understanding and patience.

To help you get better support about your issue, you could post your question in this link:

https://answers.microsoft.com/en-us/skype/forum
Orion Poplawski 1 Reputation point

2023-01-13T15:19:43.8933333+00:00

That's funny - both sites have now pointed me to the other one - [https://answers.microsoft.com/en-us/skype/forum/all/cannot-import-skype-repo-gpg-key-on-el9/9ef6287a-142d-4a34-8de6-cc5cf7aae85f
Linux Global 0 Reputation points

2023-06-23T01:57:47.05+00:00
FYI: https://www.redhat.com/en/blog/rhel-security-sha-1-package-signatures-distrusted-rhel-9

Work-around:

I still want to install SHA-1 signed packages! This is discouraged. Even a signature from a years old RPM could be hacked recently by an attacker. If you really know what you are doing, there’s a possibility to use dnf --nogpgcheck option. Alternatively you can also switch to the legacy crypto policy:

> update-crypto-policies --set LEGACY > ``` > Or explicitly allow the SHA-1: >

update-crypto-policies --set DEFAULT:SHA1

But please don’t forget to switch back, e.g.:

> update-crypto-policies --set DEFAULT > ```

1 answer

Your answer

JimmyYang-MSFT 58,641 Reputation points Microsoft External Staff

2023-01-13T08:13:12.9666667+00:00

Hi @Orion Poplawski

Skyoe for Business linux tag is mainly focused on the general issue of Microsoft Teams for Linux troubleshooting. According to your description, your question is related to Skype in Linux, which is not in our support scope. So I will remove the tag from your thread. Thanks for your understanding and patience.

To help you get better support about your issue, you could post your question in this link:

https://answers.microsoft.com/en-us/skype/forum
Orion Poplawski 1 Reputation point

2023-01-13T15:19:43.8933333+00:00

That's funny - both sites have now pointed me to the other one - [https://answers.microsoft.com/en-us/skype/forum/all/cannot-import-skype-repo-gpg-key-on-el9/9ef6287a-142d-4a34-8de6-cc5cf7aae85f
Linux Global 0 Reputation points

2023-06-23T01:57:47.05+00:00

FYI: https://www.redhat.com/en/blog/rhel-security-sha-1-package-signatures-distrusted-rhel-9

Work-around:

I still want to install SHA-1 signed packages! This is discouraged. Even a signature from a years old RPM could be hacked recently by an attacker. If you really know what you are doing, there’s a possibility to use dnf --nogpgcheck option. Alternatively you can also switch to the legacy crypto policy:

> update-crypto-policies --set LEGACY > ``` > Or explicitly allow the SHA-1: >

update-crypto-policies --set DEFAULT:SHA1

But please don’t forget to switch back, e.g.:

> update-crypto-policies --set DEFAULT > ```

Answer 1

RHEL9 deprecated SHA-1. Here is the article: https://www.redhat.com/en/blog/rhel-security-sha-1-package-signatures-distrusted-rhel-9

Here is a work-around from the article:

I still want to install SHA-1 signed packages! This is discouraged. Even a signature from a years old RPM could be hacked recently by an attacker. If you really know what you are doing, there’s a possibility to use dnf --nogpgcheck option. Alternatively you can also switch to the legacy crypto policy:

> update-crypto-policies --set LEGACY
> ```

> Or explicitly allow the SHA-1:
> 
```bash
> update-crypto-policies --set DEFAULT:SHA1
> ```

> **But please don’t forget to switch back, e.g.:**
> 
```bash
> update-crypto-policies --set DEFAULT
> ```

Share via

Cannot import Skype repo GPG key on EL9

1 answer

Your answer