rpm-sequoia rejects CISOfy GPG key due to “No binding signature” policy error

[root-sector]

Description:
Installing Lynis on RHEL 10/Rocky Linux 10 fails during GPG key import:

error: Certificate 824612E20ACF951B:
  Policy rejects 824612E20ACF951B: No binding signature at time 2025‑06‑13T16:28:45Z
error: https://packages.cisofy.com/keys/cisofy-software-rpms-public.key: key 1 import failed.

Running transaction test
RPM: error: Verifying a signature using certificate 9146CE61DD174FB302C990A9824612E20ACF951B (CISOfy Software RPMs (signed software packages) <software-rpms@cisofy.com>):
RPM:   1. Certificate 824612E20ACF951B invalid: policy violation
RPM:       because: No binding signature at time 2025-01-28T12:06:42Z
RPM:       because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
RPM:       because: SHA1 is not considered secure
RPM:   2. Certificate 824612E20ACF951B invalid: policy violation
RPM:       because: No binding signature at time 2025-06-13T16:39:13Z
RPM:       because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
RPM:       because: SHA1 is not considered secure
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: Transaction test error:
  package lynis-3.1.4-100.noarch does not verify: Header V4 RSA/SHA256 Signature, key ID 0acf951b: NOTTRUSTED

This happens because modern rpm‑sequoia enforces stricter OpenPGP policies (rejecting SHA‑1 or missing binding signatures)

Steps to reproduce:
On RHEL 10/Rocky Linux 10 with default DEFAULT crypto policy, run:

rpm --import https://packages.cisofy.com/keys/cisofy-software-rpms-public.key

Observe the failure above.

Expected behavior:
The key should import normally so that Lynis can be installed securely without error.

Environment:
OS: RHEL 10/Rocky Linux 10

RPM backend: rpm‑sequoia with default crypto policy

Crypto policy: DEFAULT (disallows SHA‑1)

Workarounds (not ideal):

• Temporarily set crypto policy to LEGACY to import the key, then revert to DEFAULT with update-crypto-policies --set and install the lynis package.

Proposed solutions:
Please re-sign or issue a new CISOfy RPM key that:
Uses a valid binding signature.
Employs a strong algorithm (e.g., SHA‑256).

This would ensure compatibility with rpm‑sequoia and maintain secure package installs without weakening system crypto policies.

Additional context:
RHEL’s rpm‑sequoia migration enforces binding signatures and rejects keys signed with SHA‑1 or missing time-bound signatures, to prevent ambiguous trust model risks

[mboelen]

Thanks for reporting. We have to test this and probably release a new key for RPM signing. The big issue is backward and forward compatibility (or the lacking of) within the package tools on the (older) Red Hat based platforms.

[mboelen]

We are still looking into this. With a new version this week, we will now investigate the impact of switching the key.

[lisenet]

Same problem here during our migration from Rocky 9 to Rocky 10.

$ cat /etc/redhat-release 
Rocky Linux release 10.0 (Red Quartz)

$ sudo yum install lynis
Last metadata expiration check: 0:00:06 ago on Tue 19 Aug 2025 11:28:25 AM UTC.
Dependencies resolved.
===================================================================================================================================================================================================================
 Package                                          Architecture                                      Version                                                 Repository                                        Size
===================================================================================================================================================================================================================
Installing:
 lynis                                            noarch                                            3.1.5-100                                               lynis                                            347 k

Transaction Summary
===================================================================================================================================================================================================================
Install  1 Package

Total size: 347 k
Installed size: 1.7 M
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] lynis-3.1.5-100.noarch.rpm: Already downloaded                                                                                                                                                          
CISOfy Software - Lynis package                                                                                                                                                     20 kB/s | 1.0 kB     00:00    
Importing GPG key 0x0ACF951B:
 Userid     : ""
 Fingerprint: 9146 CE61 DD17 4FB3 02C9 90A9 8246 12E2 0ACF 951B
 From       : https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
Is this ok [y/N]: y
error: Certificate 824612E20ACF951B:
  Policy rejects 824612E20ACF951B: No binding signature at time 2025-08-19T11:28:33Z
Key import failed (code 2). Failing package is: lynis-3.1.5-100.noarch
 GPG Keys are configured as: https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'yum clean packages'.
Error: GPG check FAILED

[mboelen]

Yes, all systems will get this message. This is common for third-party packages, as they switched the policy without providing a clear hint that deprecation would occur with the next OS level.

As it looks like now, we don't have to switch the key, but have to refresh it and give it a newer checksum type. It was SHA1 as some older versions of Red Hat (and clones) did not support newer ones. So for backwards compatibility this was then chosen. That is also the reason that we have two different keys to allow this support at that time.

We are working on it, so stay tuned.

[mboelen]

The first change has been applied. It results in a new public key, so that is also published now.

@root-sector and @lisenet can you test if things works as expected for you?

We will update the page on the package repository to reflect these changes.

[mboelen]

In the meantime, I did a test myself on a fresh installation and that went well.

It would be great to hear from someone that already had the repository active, and also if you get any message (like updating the key again).

Keeping this open to allow feedback.