RPM is not signed

[mrwacky42]

This ansible role fails on Amazon Linux 2 instances due to an unsigned package. Amazon Linux 2 instances have gpgcheck=1 configured by default.

As implemented, this role does not work on Amazon Linux 2, or any system with gpgcheck=1 enabled. Workaround: switch from package to yum for RedHat and explicitly set disable_gpg_check: true

It seems that a security product should expect to be installed on a securely configured instance. Given the recent debacle with Solarwinds, it is somewhat scary to install vendors unsigned packages.

[deekayen]

Since it's been over a year, I forked this project and published an alternative to Galaxy. https://github.com/deekayen/al-agents-ansible-playbooks has a kludge, some updates, and Molecule testing until I can get Alert Logic to publish the GPG key so we can do a proper key import and/or validation task.

[dsix-work]

Something like this would probably be sufficient for RHEL 8/9:

In tasks/install_agent.yml:

    - name: Import Alert Logic Atlas GPG key.
      ansible.builtin.rpm_key:
        key: "{{ al_agent_gpg_key }}"
        fingerprint: "{{ al_agent_gpg_fingerprint }}"
        state: present
      when:
        - ansible_os_family == "RedHat"

In vars/RedHat.yml:

al_agent_gpg_key: "{{ al_agent_base_url }}/software/al-agent-pkg-key.asc"
al_agent_gpg_fingerprint: '9a2a3e9a817127b121b2b2fb00802f0e0186cc36'

[jearly]

Public contributions are welcome! Anyone can submit a Pull Request for features and further OS support. We will review them and publish them once approved. Please follow the guidelines in the Readme and we will happily review and test them on our end. https://github.com/alertlogic/al-agents-ansible-playbooks#contributing