RPM Repository not FIPS compliant

Hi All

When will the this config be FIPS compliant

The file:/etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG is not FIPS compliant, it seems to only use 1024 bit and must use at least 2048 bit

# pgpdump /etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG

Old: Public Key Packet(tag 6)(418 bytes)

Ver 4 - new

Public key creation time - Tue Jan 8 22:59:38 CET 2008

Pub alg - DSA Digital Signature Algorithm(pub 17)

DSA p(1024 bits) - ...

DSA q(160 bits) - ...

DSA g(1023 bits) - ...

DSA y(1023 bits) - ...

Old: User ID Packet(tag 13)(62 bytes)

User ID - PostgreSQL RPM Building Project <pgsql-pkg-yum@postgresql.org>

Old: Signature Packet(tag 2)(120 bytes)

Ver 4 - new

Sig type - Positive certification of a User ID and Public Key packet(0x13).

Pub alg - DSA Digital Signature Algorithm(pub 17)

Hash alg - SHA1(hash 2)

Hashed Sub: issuer fingerprint(sub 33)(21 bytes)

v4 - Fingerprint - 68 c9 e2 b9 1a 37 d1 36 fe 74 d1 76 1f 16 d2 e1 44 2d f0 f8

Hashed Sub: signature creation time(sub 2)(4 bytes)

Time - Sat May 1 00:23:13 CEST 2021

Hashed Sub: key flags(sub 27)(1 bytes)

Flag - This key may be used to certify other keys

Flag - This key may be used to sign data

Flag - This key may be used for authentication

Hashed Sub: preferred symmetric algorithms(sub 11)(4 bytes)

Sym alg - AES with 256-bit key(sym 9)

Sym alg - AES with 192-bit key(sym 8)

Sym alg - AES with 128-bit key(sym 7)

Sym alg - Triple-DES(sym 2)

Hashed Sub: preferred hash algorithms(sub 21)(5 bytes)

Hash alg - SHA512(hash 10)

Hash alg - SHA384(hash 9)

Hash alg - SHA256(hash 8)

Hash alg - SHA224(hash 11)

Hash alg - SHA1(hash 2)

Hashed Sub: preferred compression algorithms(sub 22)(3 bytes)

Comp alg - ZLIB <RFC1950>(comp 2)

Comp alg - BZip2(comp 3)

Comp alg - ZIP <RFC1951>(comp 1)

Hashed Sub: features(sub 30)(1 bytes)

Flag - Modification detection (packets 18 and 19)

Hashed Sub: key server preferences(sub 23)(1 bytes)

Flag - No-modify

Sub: issuer key ID(sub 16)(8 bytes)

Key ID - 0x1F16D2E1442DF0F8

Hash left 2 bytes - fc b2

DSA r(160 bits) - ...

DSA s(155 bits) - ...

-> hash(DSA q bits)

Old: Public Subkey Packet(tag 14)(525 bytes)

Ver 4 - new

Public key creation time - Tue Jan 8 22:59:38 CET 2008

Pub alg - ElGamal Encrypt-Only(pub 16)

ElGamal p(2048 bits) - ...

ElGamal g(3 bits) - ...

ElGamal y(2048 bits) - ...

Old: Signature Packet(tag 2)(73 bytes)

Ver 4 - new

Sig type - Subkey Binding Signature(0x18).

Pub alg - DSA Digital Signature Algorithm(pub 17)

Hash alg - SHA1(hash 2)

Hashed Sub: signature creation time(sub 2)(4 bytes)

Time - Tue Jan 8 22:59:38 CET 2008

Hashed Sub: key flags(sub 27)(1 bytes)

Flag - This key may be used to encrypt communications

Flag - This key may be used to encrypt storage

Sub: issuer key ID(sub 16)(8 bytes)

Key ID - 0x1F16D2E1442DF0F8

Hash left 2 bytes - 2b 87

DSA r(160 bits) - ...

DSA s(160 bits) - ...

-> hash(DSA q bits)

---

[pgdg15]

name=PostgreSQL 15 for RHEL / Rocky $releasever - $basearch

baseurl=https://download.postgresql.org/pub/repos/yum/15/redhat/rhel-$releasever-$basearch

enabled=1

gpgcheck=1

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG

repo_gpgcheck = 1

---

Please update, this is really hurting the security.

--