Cannot import Skype repo GPG key on EL9

Question

The RPM GPG key used to sign packages in the Skype Linux repository needs to be updated. It cannot be imported on an EL9 system:

# curl -o /etc/pki/rpm-gpg/SKYPE-GPG-KEY https://repo.skype.com/data/SKYPE-GPG-KEY 
 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current 
                                Dload  Upload   Total   Spent    Left  Speed 
100  1787  100  1787    0     0   5366      0 --:--:-- --:--:-- --:--:--  5350

# rpm --import /etc/pki/rpm-gpg/SKYPE-GPG-KEY 
warning: Signature not supported. Hash algorithm SHA1 not available. 
error: /etc/pki/rpm-gpg/SKYPE-GPG-KEY: key 1 import failed.

Answer

RHEL9 deprecated SHA-1. Here is the article: https://www.redhat.com/en/blog/rhel-security-sha-1-package-signatures-distrusted-rhel-9

Here is a work-around from the article:

I still want to install SHA-1 signed packages! This is discouraged. Even a signature from a years old RPM could be hacked recently by an attacker. If you really know what you are doing, there’s a possibility to use dnf --nogpgcheck option. Alternatively you can also switch to the legacy crypto policy:

> update-crypto-policies --set LEGACY
> ```

> Or explicitly allow the SHA-1:
> 
```bash
> update-crypto-policies --set DEFAULT:SHA1
> ```

> **But please don’t forget to switch back, e.g.:**
> 
```bash
> update-crypto-policies --set DEFAULT
> ```

Cannot import Skype repo GPG key on EL9

1 answer