redhat/subscription-gpg-keys¶
OpenSCAP packages, profile, and settings during OS Install
This is an array of strings where each string is a Yum Repo GPG key to import. Specify either rendered keys (file path) on the system, or a URL reference to the key.
If not specified, the primary Redhat keys will be added, as referenced at https://access.redhat.com/security/team/key
Note that the default keys may all fail to import on RHEL Server 9, the failure is not fatal to the running task. RHEL Server 9 and newer enforces that SHA1 signed keys and encryption algorithms can not be used. Redhat's own Security keys are all SHA1 signed keys.
It is possible to forcibly enable installation of GPG keys that are signed with a SHA1 hash function. This is done setting the policy as follows:
update-crypto-policies --set DEFAULT:SHA1
To return the system to the default policy, not allowing use of the SHA1 hash function, do:
update-crypto-policies --set DEFAULT
The Param redhat/subscription-crypto-policy-override
can be set with the
policy changes to override the key import. To do so, set the
Param to DEFAULT:SHA1
(or any other supported --set
directive.
NOTE that the --set DEFAULT
directive will immediately be
reset at the end of the task run.