Skip to content

redhat/subscription-crypto-policy-override

OpenSCAP packages, profile, and settings during OS Install

Note that the default keys may all fail to import on RHEL Server 9, the failure is not fatal to the running task. RHEL Server 9 and newer enforces that SHA1 signed keys and encryption algorithms can not be used. Redhat's own Security keys are all SHA1 signed keys.

It is possible to forcibly enable installation of GPG keys that are signed with a SHA1 hash function. This is done setting the policy as follows:

  • update-crypto-policies --set DEFAULT:SHA1

To return the system to the default policy, not allowing use of the SHA1 hash function, do:

  • update-crypto-policies --set DEFAULT

The Param redhat/subscription-crypto-policy-override can be set with the policy changes to override the key import. To do so, set the Param to DEFAULT:SHA1 (or any other supported --set directive. NOTE that the --set DEFAULT directive will immediately be reset at the end of the task run.