RPM Not Signed

[ferricoxide]

Wanted to start playing with the SSM agent for our EL7-based builds. However, our EL7 builds security requirements (per DISA STIG-ID RHEL-07-020150 and SRG-OS-000366-GPOS-00153) state that all RPMs must be signed by a trusted authority. Upon attempting to install the SSM agent per the documentation, yum fails with a Package amazon-ssm-agent.rpm is not signed.

While this can be worked around by adding --nogpgcheck to the yum-invocation:

1. Many of our DevOps-enabled programs are light on EL-specific expertise and won't know to do this
2. Many who do know to do this will be reluctant to do it as it would potentially be construed as "circumvention".
3. Enterprise CM tools may automatically/summarily remove any unsigned RPMs that are installed - breaking workflows that are created to depend on the agent.

In short, all AWS-furnished RPMs (that are called out in the docs.aws.amazon.com-hosted URLs) should probably be signed (and a trusted signing-key's public-key be published).

[shihuazhang]

Thanks for your feedback ferricoxide,

The team is aware of this issue and will address it for the next release

[lorengordon]

@shihuazhang there have been a couple releases since the issue was opened. Is the rpm signed now?

[redbaron]

Please provide signed RPM or at least signed checksums file on S3 bucket.

[shihuazhang]

Hi @lorengordon and @redbaron
Thanks for your feedback, we currently have the work item tracked internally, I will let the team know and having the ECD provided here.

[ferricoxide]

@shihuazhang any updates? A little less than two months till we hit this issue's anniversary-date and nearly a quarter since your last comment.

[mmendonca3]

We acknowledge your request but we do not have a date for this on our road-map. We will continue tracking it closely.

[edelkind]

It's strange and a little disconcerting that this is proving so difficult to implement. If Amazon said, "We think that https should be enough for anyone, and have no plans to implement this, ever," then i'd feel better about that response (hopefully coupled with doc updates) than about the acknowledgement and ensuing inactivity.

[ferricoxide]

@edelkind except that, since that isn't really the point of signing an RPM, it would be a bit disappointing to see such a response.

I mean, this would make a degree of sense if the underlying reason for the delay were that they don't currently have the infrastructure and/or process in place for managing signing-keys ...but if that were the case, I'd want to see that reason at least offered (and possibly some kind of tracking-info for that effort that we'd hopefully be able to follow).

[FilBot3]

Isn't there an AWS provided GPG signing key for their RPM's and such?

[nehalaws]

Thank you for posting the issue, this is still item in our backlog and we don't have a date yet for when it will be completed

[ferricoxide]

@nehalaws

I'm confused: you seem to be saying the issue hasn't been resolved but you're still closing the issue??

[emyglobal]

Are we going to continue a workaround by introducing a security hole? Is this GPG Key available for this rpm? YET?

[ferricoxide]

@emyglobal certainly seems that way...

Are we going to continue a workaround by introducing a security hole?

[eramos-ce]

8 years and this issue is still unresolved. This should be taken into consideration to maintain accreditation for clients requiring SSM connectivity.