g-bougard
commented
4 weeks ago Hi @PlqnK
the question has still been discussed in this discussion: https://github.com/glpi-project/glpi-agent/discussions/723
To me, it's a bad idea to add --nogpgcheck as this will prevent also this check on dependencies even where it's not a problem.
But maybe adding --setopt=localpkg_gpgcheck=0 can work.
Bug reporting acknowledgment
Yes, I read it
Professional support
None
Describe the bug
The glpi-agent RPM packages are not signed, but the perl installation script doesn't pass the
--nogpgcheckflag todnfwhen trying to install it, making dnf fail on installs wherelocalpkg_gpgcheck = 1has been configured in/etc/dnf/dnf.confor/etc/yum.conf.I'm not sure if
localpkg_gpgcheckbeing true is the default on RHEL/CentOS Stream 9, but at least with the ANSSI-BP-028 minimal SCAP profile applied it is set (see https://static.open-scap.org/ssg-guides/ssg-rhel9-guide-anssi_bp28_minimal.html#xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages).To reproduce
localpkg_gpgcheck = 1in/etc/dnf/dnf.confperl glpi-agent-X.X-linux-installer.plExpected behavior
dnf should not fail to install the downloaded glpi-agent RPM.
The RPM should ideally be signed and the perl script should import the RPM public signing key, but it may not be feasible in the foreseeable future so instead you could add the
--nogpgcheckflag to thednf installcommand here https://github.com/glpi-project/glpi-agent/blob/77f7cdda24aa6d14ba8800f6bb71a18b98f4526d/contrib/unix/installer/RpmDistro.pm#L139 like it’s done with the openSUSE installation--allow-unsigned-rpmjust above.Operating system
Linux
GLPI Agent version
v1.11
GLPI version
Not applicable
GLPIInventory plugin or other plugin version
Not applicable
Additional context
No response