td-agent should sign repo metadata for yum/dnf repos so install can occur on RHEL 8 with repo_checkgpg=1

[justchris1]

td-agent won't operate as a repo on Redhat / Centos 8 (maybe 7 as well?) machines if repo_gpgcheck=1 is specified in the /etc/yum.repos.d configuration file. This prevents the repo metadata from be cryptographically validated to increase the confidence that the proper updates are being applied/installed.

Describe the bug TD should sign its metadata in the yum/dnf repository that it distributes so that it can be validated.

To Reproduce Follow instructions to install the repo in yum.repos.d as described here: https://docs.fluentd.org/installation/install-by-rpm NOTE: I had to remove the backslashes '\' from the baseurl to get it to work in RHEL 8. Then open the file installed (/etc/yum.repos.d/td.repo) and insert at the end repo_gpgcheck=1. Then execute 'dnf install td-agent'. The following occurs:

TreasureData                                                                                                                                                                 3.7 kB/s | 569  B     00:00    
TreasureData                                                                                                                                                                  85 kB/s | 3.1 kB     00:00    
TreasureData                                                                                                                                                                  11 kB/s | 569  B     00:00    
Errors during downloading metadata for repository 'treasuredata':
  - Status code: 404 for http://packages.treasuredata.com/4/redhat/8/x86_64/repodata/repomd.xml.asc (IP: 99.86.230.8)
Error: Failed to download metadata for repo 'treasuredata': GPG verification is enabled, but GPG signature is not available. This may be an error or the repository does not support GPG verification: Status code: 404 for http://packages.treasuredata.com/4/redhat/8/x86_64/repodata/repomd.xml.asc (IP: 99.86.230.8)

Expected behavior The package would install since the repo metadata could be cryptographically verified.

Your Environment

• Fluentd or td-agent version: fluentd --version or td-agent --version: Uninstalled at this time
• Operating system: cat /etc/os-release: Redhat 8
• Kernel version: uname -r: 4.18.0-305.3.1.el8.x86_64

If you hit the problem with older fluentd version, try latest version first.

Your Configuration Not yet installed.

Your Error Log

Errors during downloading metadata for repository 'treasuredata':
  - Status code: 404 for http://packages.treasuredata.com/4/redhat/8/x86_64/repodata/repomd.xml.asc (IP: 99.86.230.8)
Error: Failed to download metadata for repo 'treasuredata': GPG verification is enabled, but GPG signature is not available. This may be an error or the repository does not support GPG verification: Status code: 404 for http://packages.treasuredata.com/4/redhat/8/x86_64/repodata/repomd.xml.asc (IP: 99.86.230.8)

Additional context

Some high compliance environments are not permitted to use repositories unless repo_gpgcheck=1 due to the potential avenues for targeted attacks on systems. Signing repository metadata enables users to be assured that the published data is valid and made available by the signer.

[cosmo0920]

Could you file your issue in https://github.com/fluent-plugins-nursery/td-agent-builder ? Fluentd itself does not have creating package mechanism.

[justchris1]

Done. Thanks - Sorry about that. I would have never guessed that was the right place.

[justchris1]

Opened https://github.com/fluent-plugins-nursery/td-agent-builder/issues/313