Unable to install on Oracle Linux 9

rabbitmq / erlang-rpm

Latest Erlang/OTP releases packaged as a zero dependency RPM, just enough for running RabbitMQ

https://rabbitmq.com/install-rpm.html

Other

545 stars 117 forks source link

Unable to install on Oracle Linux 9 #110

Closed mohd-akram closed 1 year ago

mohd-akram commented 1 year ago

I get this when installing on Oracle Linux 9 (following the guide here):

Importing GPG key 0xDF309A0B:
 Userid     : "https://packagecloud.io/rabbitmq/erlang (https://packagecloud.io/docs#gpg_signing) <support@packagecloud.io>"
 Fingerprint: 2EBD E413 D3CE 5D35 BCD1 5B7C 71C6 3471 DF30 9A0B
 From       : https://packagecloud.io/rabbitmq/erlang/gpgkey
Is this ok [y/N]: y
Key import failed (code 2). Failing package is: erlang-25.1.1-1.el8.x86_64
 GPG Keys are configured as: https://packagecloud.io/rabbitmq/erlang/gpgkey, https://github.com/rabbitmq/signing-keys/releases/download/2.0/rabbitmq-release-signing-key.asc

My guess is that it's because the key uses SHA-1 (verified via gpg --list-packets, digest algo is 2 i.e. SHA-1) which is not supported by default on RHEL 9.

michaelklishin commented 1 year ago

I am afraid we do not control how keys of hosted services such as PackageCloud are generated.

You can opt in for installing using direct download from GitHub

michaelklishin commented 1 year ago

Here is the rabbitmq/erlang signing key used by PackageCloud. There is one per repo. I do not see any way for us to regenerate it, and if we did, I'm afraid it would require an action from every user who has provisioned this RPM from PackageCloud.

In the past we've had a similar transition with the RabbitMQ signing key as well as one key transition with PackageCloud (in October 2018) which was forced upon us by the service.

I haven't seen this issue on CentOS 9 just last month. But if this does have to do with the algorithm used when generating the key, for the time being, direct downloads would be the only option for Oracle Linux 9 users, until PackageCloud introduces a way to regenerate the key.

mohd-akram commented 1 year ago

It seems a solution is to remove the repo_gpgcheck=1 line from the .repo file. The packages themselves are signed by the RabbitMQ key, which works in RHEL 9. Here's a much simplified rabbitmq.repo file that works:

[rabbitmq_erlang]
name=rabbitmq_erlang
baseurl=https://packagecloud.io/rabbitmq/erlang/el/8/$basearch
gpgcheck=1
enabled=1
gpgkey=https://github.com/rabbitmq/signing-keys/releases/download/2.0/rabbitmq-release-signing-key.asc

[rabbitmq_server]
name=rabbitmq_server
baseurl=https://packagecloud.io/rabbitmq/rabbitmq-server/el/8/$basearch
gpgcheck=1
enabled=1
gpgkey=https://github.com/rabbitmq/signing-keys/releases/download/2.0/rabbitmq-release-signing-key.asc

I would recommend updating the documentation to this. The current one is unnecessarily long.