search

rsyslog / rsyslog-pkg-rhel-centos

Package build sources for building RHEL/CentOS packages
17 stars 27 forks source link

Repo gpgcheck=1 Issues #126

Closed klesher closed 1 year ago

klesher commented 1 year ago

I'm currently working through migrating from CentOS 7 to RHEL-9 compatible of some sort (likely RockyLinux 9 or AlmaLinux 9 since CentOS moved to the Stream model). We currently make use of the rsyslog repo via baseurl=http://rpms.adiscon.com/v8-stable/epel-7/$basearch on CentOS 7.

While checking through items that could potentially cause issues in our Ansible config when upgrading from EL7 -> EL9, I noticed that we are not currently making use of gpgcheck. I just started this work today, so unfortunately I can't comment if the changes made in #125 is possibly causing this issue.

Happy to do any additional testing or provide any additional context! Thank you!

Expected behavior

Package installation successful when setting gpgcheck=1

Actual behavior

Package installation GPG check fails with the following message:

AlmaLinux 9 / Rocky Linux 9 [Fresh installs]:

[root@ci-testing-9:~]$ yum -y install rsyslog-8.2212.0
Adiscon CentOS-9 - local packages for x86_64                                270 kB/s | 126 kB     00:00    
AlmaLinux 9 - AppStream                                                     1.2 MB/s | 8.0 MB     00:06    
AlmaLinux 9 - BaseOS                                                        1.0 MB/s | 2.8 MB     00:02    
AlmaLinux 9 - CRB                                                           1.3 MB/s | 2.4 MB     00:01    
AlmaLinux 9 - Extras                                                         29 kB/s |  17 kB     00:00    
Extra Packages for Enterprise Linux 9 - x86_64                              8.3 MB/s |  14 MB     00:01    
Dependencies resolved.
============================================================================================================
 Package                       Architecture       Version                      Repository              Size
============================================================================================================
Upgrading:
 rsyslog                       x86_64             8.2212.0-1.el9               rsyslog_v8             779 k
 rsyslog-logrotate             x86_64             8.2212.0-1.el9               rsyslog_v8             7.9 k

Transaction Summary
============================================================================================================
Upgrade  2 Packages

Total download size: 787 k
Downloading Packages:
(1/2): rsyslog-logrotate-8.2212.0-1.el9.x86_64.rpm                          6.2 kB/s | 7.9 kB     00:01    
(2/2): rsyslog-8.2212.0-1.el9.x86_64.rpm                                    514 kB/s | 779 kB     00:01    
------------------------------------------------------------------------------------------------------------
Total                                                                       517 kB/s | 787 kB     00:01     
retrieving repo key for rsyslog_v8 unencrypted from http://rpms.adiscon.com/RPM-GPG-KEY-Adiscon
Adiscon CentOS-9 - local packages for x86_64                                1.8 kB/s | 2.2 kB     00:01    
GPG key at http://rpms.adiscon.com/RPM-GPG-KEY-Adiscon (0x9A6E0108) is already installed
The GPG keys listed for the "Adiscon CentOS-9 - local packages for x86_64" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: rsyslog-8.2212.0-1.el9.x86_64
 GPG Keys are configured as: http://rpms.adiscon.com/RPM-GPG-KEY-Adiscon
Public key for rsyslog-logrotate-8.2212.0-1.el9.x86_64.rpm is not installed. Failing package is: rsyslog-logrotate-8.2212.0-1.el9.x86_64
 GPG Keys are configured as: http://rpms.adiscon.com/RPM-GPG-KEY-Adiscon
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'yum clean packages'.
Error: GPG check FAILED

CentOS 7 [Existing Server]:

$ yum upgrade rsyslog-8.2212.0

... Mirror/dependency info ...

============================================================================
 Package             Arch        Version              Repository       Size
============================================================================
Updating:
 rsyslog             x86_64      8.2212.0-1.el7       rsyslog_v8      782 k
Updating for dependencies:
 rsyslog-gnutls      x86_64      8.2212.0-1.el7       rsyslog_v8       49 k

Transaction Summary
============================================================================
Upgrade  1 Package (+1 Dependent package)

Total size: 831 k
Is this ok [y/d/N]: y
Downloading packages:
warning: /var/cache/yum/x86_64/7/rsyslog_v8/packages/rsyslog-8.2212.0-1.el7.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID e00b8985: NOKEY
Retrieving key from http://rpms.adiscon.com/RPM-GPG-KEY-Adiscon

The GPG keys listed for the "Adiscon CentOS-7 - local packages for x86_64" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.

 Failing package is: rsyslog-8.2212.0-1.el7.x86_64
 GPG Keys are configured as: http://rpms.adiscon.com/RPM-GPG-KEY-Adiscon

Steps to reproduce the behavior

  1. Use fresh install of OS
  2. Follow repo setup instructions located on the Install rsyslog on RHEL/CentOS page. I tried both CentOS and RHEL wget commands (RHEL I manually edited to the epel-9, though that should feasibly be doing the same as the CentOS epel-$releasever)
  3. Edit /etc/yum.repos.d/rsyslog.repo and set gpgcheck=1
  4. Run yum -y install rsyslog-8.2212.0 or yum upgrade rsyslog-8.2212.0

Environment

alorbach commented 1 year ago

It turns out that the packages are currently signed with the old SHA1 gpg key. The key was removed from http://rpms.adiscon.com/RPM-GPG-KEY-Adiscon some days ago because of RHEL9 dropped SHA1 support, see issue https://github.com/rsyslog/rsyslog-pkg-rhel-centos/issues/125

We will have to fix package building so that the newer DSA key is being used instead. When this is fixed, we can test gpgcheck=1 again.

klesher commented 1 year ago

Ah ha, thank you! I'll continue with gpgcheck=0 for the time being in that case.

alorbach commented 1 year ago

I accidentally closed this issue, sorry - I will address gpgcheck problem beginning next week.

alorbach commented 1 year ago

@klesher Can you try to install rsyslog rhel again using https://rpms.adiscon.com/v8-stable-daily/rsyslog-daily-rhel.repo (recommended) or https://rpms.adiscon.com/v8-stable-daily/rsyslog-daily.repo with gpgcheck=1 ?

I have created a new RSA 4096 Bit signing key (The old RSA Key was 10 years old) and resigned all rhel9 packages. The new key should be imported automatically if you install with -y, otherwise you will need to accept the key import.

My local installations tests were installing successfully . I am using official UBI docker images from https://catalog.redhat.com/ .

klesher commented 1 year ago

Hey @alorbach,

With the following repo config:

[root@ip-10-0-2-15 ~]# cat /etc/yum.repos.d/rsyslog.repo 
[rsyslog_v8]
name=Adiscon RHEL-$releasever - daily stable packages for $basearch
baseurl=http://rpms.adiscon.com/v8-stable-daily/rhel-$releasever/$basearch
enabled=1
gpgcheck=1
gpgkey=https://rpms.adiscon.com/RPM-GPG-KEY-Adiscon
protect=1

It looks like it's still not happy about having the SHA1 key included in the keyfile even with the new one present first (I think this was the original issue #125 was experiencing?). On a yum install, the new key successfully imports, but fails on importing the legacy key:

[root@ip-10-0-2-15 ~]# yum -y install rsyslog rsyslog-gnutls
Adiscon RHEL-9 - daily stable packages for x86_64                                                                                       8.1 MB/s | 2.5 MB     00:00    
Last metadata expiration check: 0:00:01 ago on Mon Feb 13 19:30:00 2023.
Package rsyslog-8.2102.0-105.el9.x86_64 is already installed.
Dependencies resolved.
========================================================================================================================================================================
 Package                                   Architecture                   Version                                              Repository                          Size
========================================================================================================================================================================
Installing:
 rsyslog-gnutls                            x86_64                         8.2302.0.master-1676246565                           rsyslog_v8                          27 k
Upgrading:
 rsyslog                                   x86_64                         8.2302.0.master-1676246565                           rsyslog_v8                         780 k
 rsyslog-logrotate                         x86_64                         8.2302.0.master-1676246565                           rsyslog_v8                         8.1 k

Transaction Summary
========================================================================================================================================================================
Install  1 Package
Upgrade  2 Packages

Total download size: 815 k
Downloading Packages:
(1/3): rsyslog-logrotate-8.2302.0.master-1676246565.x86_64.rpm                                                                          172 kB/s | 8.1 kB     00:00    
(2/3): rsyslog-gnutls-8.2302.0.master-1676246565.x86_64.rpm                                                                             480 kB/s |  27 kB     00:00    
(3/3): rsyslog-8.2302.0.master-1676246565.x86_64.rpm                                                                                    4.5 MB/s | 780 kB     00:00    
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                   4.6 MB/s | 815 kB     00:00     
Adiscon RHEL-9 - daily stable packages for x86_64                                                                                        24 kB/s | 3.3 kB     00:00    
Importing GPG key 0x8F67EF64:
 Userid     : "Andre Lorbach (RPM Package signing key for rsyslog 2023) <alorbach@adiscon.com>"
 Fingerprint: 3148 D134 973A BF51 5B2F 9E31 6B11 D5C7 8F67 EF64
 From       : https://rpms.adiscon.com/RPM-GPG-KEY-Adiscon
Key imported successfully
Importing GPG key 0xE00B8985:
 Userid     : "Andre Lorbach (RPM Signing Key) <alorbach@adiscon.com>"
 Fingerprint: 712D 4E18 794D C570 E287 0861 E0F2 33B3 E00B 8985
 From       : https://rpms.adiscon.com/RPM-GPG-KEY-Adiscon
warning: Signature not supported. Hash algorithm SHA1 not available.
Key import failed (code 2). Failing package is: rsyslog-gnutls-8.2302.0.master-1676246565.x86_64
 GPG Keys are configured as: https://rpms.adiscon.com/RPM-GPG-KEY-Adiscon
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'yum clean packages'.
Error: GPG check FAILED

It does work if I immediately run the yum install a second time however:

[root@ip-10-0-2-15 ~]# yum -y install rsyslog rsyslog-gnutls
Last metadata expiration check: 0:00:21 ago on Mon Feb 13 19:30:00 2023.
Package rsyslog-8.2102.0-105.el9.x86_64 is already installed.
Dependencies resolved.
========================================================================================================================================================================
 Package                                   Architecture                   Version                                              Repository                          Size
========================================================================================================================================================================
Installing:
 rsyslog-gnutls                            x86_64                         8.2302.0.master-1676246565                           rsyslog_v8                          27 k
Upgrading:
 rsyslog                                   x86_64                         8.2302.0.master-1676246565                           rsyslog_v8                         780 k
 rsyslog-logrotate                         x86_64                         8.2302.0.master-1676246565                           rsyslog_v8                         8.1 k

Transaction Summary
========================================================================================================================================================================
Install  1 Package
Upgrade  2 Packages

Total size: 815 k
Downloading Packages:
[SKIPPED] rsyslog-gnutls-8.2302.0.master-1676246565.x86_64.rpm: Already downloaded                                                                                     
[SKIPPED] rsyslog-8.2302.0.master-1676246565.x86_64.rpm: Already downloaded                                                                                            
[SKIPPED] rsyslog-logrotate-8.2302.0.master-1676246565.x86_64.rpm: Already downloaded                                                                                  
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                1/1 
  Upgrading        : rsyslog-logrotate-8.2302.0.master-1676246565.x86_64                                                                                            1/5 
  Upgrading        : rsyslog-8.2302.0.master-1676246565.x86_64                                                                                                      2/5 
  Running scriptlet: rsyslog-8.2302.0.master-1676246565.x86_64                                                                                                      2/5 
  Installing       : rsyslog-gnutls-8.2302.0.master-1676246565.x86_64                                                                                               3/5 
  Running scriptlet: rsyslog-8.2102.0-105.el9.x86_64                                                                                                                4/5 
  Cleanup          : rsyslog-8.2102.0-105.el9.x86_64                                                                                                                4/5 
  Running scriptlet: rsyslog-8.2102.0-105.el9.x86_64                                                                                                                4/5 
  Cleanup          : rsyslog-logrotate-8.2102.0-105.el9.x86_64                                                                                                      5/5 
  Running scriptlet: rsyslog-logrotate-8.2102.0-105.el9.x86_64                                                                                                      5/5 
  Verifying        : rsyslog-gnutls-8.2302.0.master-1676246565.x86_64                                                                                               1/5 
  Verifying        : rsyslog-8.2302.0.master-1676246565.x86_64                                                                                                      2/5 
  Verifying        : rsyslog-8.2102.0-105.el9.x86_64                                                                                                                3/5 
  Verifying        : rsyslog-logrotate-8.2302.0.master-1676246565.x86_64                                                                                            4/5 
  Verifying        : rsyslog-logrotate-8.2102.0-105.el9.x86_64                                                                                                      5/5 

Upgraded:
  rsyslog-8.2302.0.master-1676246565.x86_64                                     rsyslog-logrotate-8.2302.0.master-1676246565.x86_64                                    
Installed:
  rsyslog-gnutls-8.2302.0.master-1676246565.x86_64                                                                                                                      

Complete!

If I manually import the new key by itself, everything installs with no issues. Any chance of getting a keyfile with just the new key in it, assuming that wouldn't be detrimental to anybody? I can work around this by manually importing the new key only via Ansible if not!

Thank you!

alorbach commented 1 year ago

I will update all repositories by tomorrow than we will be able to remove the SHA1 key from the keyfile. But at the moment only RHEL9 and EPEL9 are using the new SHA Key.

klesher commented 1 year ago

Perfect, I think I'm good to go in that case. Thanks for the assistance Andre, much appreciated!

alorbach commented 1 year ago

All packages have been resigned now, the old SHA1 is removed from the https://rpms.adiscon.com/RPM-GPG-KEY-Adiscon download. I tested RHEL7, RHEL8 and RHEL9 using the UBI Base Images, they all installed fine now with gpgcheck=1. Therefor I am closing this Issue, feel free to reopen it if you need further assistance.