1. Home
2. Reference documentation
3. Changelog
4. 2024
5. June 2024

To continue ensuring the integrity of the software we distribute as well as conform to evolving platform security standards, we are making changes to how we sign software distributed in RPM packages for the core Next-Gen WAF product. Specifically, the repository and code signing keys will be updated from the older SHA-1 algorithm to use the newer and more secure SHA-256 algorithm. This change will impact users who consume the core Next-Gen WAF agent as well as any modules that are packaged as RPMs.

We plan to make this change on Monday, September 23rd at 12:00PM EDT (4PM GMT). After this, all RPM packages released as part of the core Next-Gen WAF product will be signed with keys using the SHA-256 algorithm.

Who is impacted by this change?

Users who run the core Next-Gen WAF on Red Hat Enterprise Linux (RHEL) and systems derived from it, such as CentOS or Amazon Linux, are impacted by this change. If the packages you install or update have an extension of .rpm then you are affected.

What will I need to do?

After Monday, September 23rd, 2024, at 12:00 PM ET (4PM GMT), you will need to download new public keys for both our repository and our packages. Before then, no changes will be needed to package updates. Take the actions below after the planned change date.

If you delete the existing public keys, the repository tool YUM will download the new ones during update. To delete the code signing and repository keys, execute the following command:

$ rpm -e gpg-pubkey-db6249a1-666932d2
$ rpm -e gpg-pubkey-b61c0150-5cf6f75f

If you are using a RHEL 7 or earlier system, you will need to take additional steps to delete the keys. Follow these instructions:

1. Check your /etc/yum.conf file and note the value of persistdir. If persistdir is not set, you can assume it is /var/lib/yum.

2. Determine which CPU architecture the repository has been installed for: x86_64 for 64-bit x86 systems and aarch64 for 64-bit ARM systems.

3. Determine the version number of the CentOS or Red Hat you are running (7, 8 or 9).

4. Replace x86_64 and 7 in the following command with your CPU architecture and CentOS or Red Hat version:

   $ gpg --homedir /var/lib/yum/repos/aarch64/7/sigsci_release/gpgdir --delete-key DB6249A1
   $ gpg --homedir /var/lib/yum/repos/aarch64/7/sigsci_release/gpgdir --delete-key B61C0150

What will happen if I don’t make any changes?

If you do not make any changes, all of your existing agents will continue to protect your application from attacks; nothing will stop working. However, you will not be able to upgrade to newer versions of the core Next-Gen WAF agent or modules released after Monday, September 23rd at 12:00PM EDT (4PM GMT). If you do not upgrade to newer versions of the core Next-Gen WAF agent or module, you may miss important bug fixes and features.

Who is not impacted by this change?

Users who do not install or update the core Next-Gen WAF using RPMs are not impacted. Specifically, users who install the core Next-Gen WAF using DEB (Debian or Ubuntu) or APK (Alpine Linux) packages are not affected. Windows users are not affected. Users who install our software using a so-called tarball (a packaged file with the .tar.gz extension) are not affected. Users who deploy the Next-Gen WAF using either the Edge or Cloud WAF methods, or users of any other Fastly service are also not affected.

Who can I contact if I need help?

If you have any questions, contact support by visiting https://support.fastly.com/ or sending email to support@fastly.com.