Why Red Hat Enterprise Linux 6 has a new package signing key

Starting with Red Hat Enterprise Linux 6 we have switched to using SHA-256 signatures on all RPM packages and to a 4096-bit RSA signing key.

We've done this because it is current best practice to migrate away from MD5 and SHA-1 hashes due to various flaws found in them. Those flaws don't yet directly pose a threat to package signing however, and therefore our existing shipped products which used these older hashes will continue to use their existing keys until they reach their end of life.

A similar switch to stronger signing was already made in Fedora 11. This switch involved some changes to the RPM application.

So what this means is that we used new signing keys for both the beta and final release packages for Red Hat Enterprise Linux 6. Those keys were created and are protected by a hardware security module, as we've done with previous keys.

Details and fingerprint of the new key, #fd431d51.

Also in the Red Hat Enterprise Linux 6 distribution we've started to simplify the layout of the key files in the /etc/pki/rpm-gpg/ directory:

• RPM-GPG-KEY-redhat-beta : Both the old and new beta keys
• RPM-GPG-KEY-redhat-release : Both the new signing key and the auxiliary key
• RPM-GPG-KEY-redhat-legacy-release : The signing key used for EL5
• RPM-GPG-KEY-redhat-legacy-former : The signing key used for products before EL5
• RPM-GPG-KEY-redhat-legacy-rhx : The signing key used for RHX

The auxiliary key mentioned above is for emergency use. We created it some time ago on a new standalone machine, took a hardcopy printout of the private key and passphrase, stored them separately and securely, and destroyed the software copies. We've planned for many eventualities, but in the unlikely event we lose the ability to sign with the hardware key we could retrieve the printout, type in the key, and continue to sign updates.