Closed klesher closed 1 year ago
It turns out that the packages are currently signed with the old SHA1 gpg key. The key was removed from http://rpms.adiscon.com/RPM-GPG-KEY-Adiscon some days ago because of RHEL9 dropped SHA1 support, see issue https://github.com/rsyslog/rsyslog-pkg-rhel-centos/issues/125
We will have to fix package building so that the newer DSA key is being used instead. When this is fixed, we can test gpgcheck=1 again.
Ah ha, thank you! I'll continue with gpgcheck=0 for the time being in that case.
I accidentally closed this issue, sorry - I will address gpgcheck problem beginning next week.
@klesher Can you try to install rsyslog rhel again using https://rpms.adiscon.com/v8-stable-daily/rsyslog-daily-rhel.repo (recommended) or https://rpms.adiscon.com/v8-stable-daily/rsyslog-daily.repo with gpgcheck=1 ?
I have created a new RSA 4096 Bit signing key (The old RSA Key was 10 years old) and resigned all rhel9 packages. The new key should be imported automatically if you install with -y, otherwise you will need to accept the key import.
My local installations tests were installing successfully . I am using official UBI docker images from https://catalog.redhat.com/ .
Hey @alorbach,
With the following repo config:
[root@ip-10-0-2-15 ~]# cat /etc/yum.repos.d/rsyslog.repo
[rsyslog_v8]
name=Adiscon RHEL-$releasever - daily stable packages for $basearch
baseurl=http://rpms.adiscon.com/v8-stable-daily/rhel-$releasever/$basearch
enabled=1
gpgcheck=1
gpgkey=https://rpms.adiscon.com/RPM-GPG-KEY-Adiscon
protect=1
It looks like it's still not happy about having the SHA1 key included in the keyfile even with the new one present first (I think this was the original issue #125 was experiencing?). On a yum install, the new key successfully imports, but fails on importing the legacy key:
[root@ip-10-0-2-15 ~]# yum -y install rsyslog rsyslog-gnutls
Adiscon RHEL-9 - daily stable packages for x86_64 8.1 MB/s | 2.5 MB 00:00
Last metadata expiration check: 0:00:01 ago on Mon Feb 13 19:30:00 2023.
Package rsyslog-8.2102.0-105.el9.x86_64 is already installed.
Dependencies resolved.
========================================================================================================================================================================
Package Architecture Version Repository Size
========================================================================================================================================================================
Installing:
rsyslog-gnutls x86_64 8.2302.0.master-1676246565 rsyslog_v8 27 k
Upgrading:
rsyslog x86_64 8.2302.0.master-1676246565 rsyslog_v8 780 k
rsyslog-logrotate x86_64 8.2302.0.master-1676246565 rsyslog_v8 8.1 k
Transaction Summary
========================================================================================================================================================================
Install 1 Package
Upgrade 2 Packages
Total download size: 815 k
Downloading Packages:
(1/3): rsyslog-logrotate-8.2302.0.master-1676246565.x86_64.rpm 172 kB/s | 8.1 kB 00:00
(2/3): rsyslog-gnutls-8.2302.0.master-1676246565.x86_64.rpm 480 kB/s | 27 kB 00:00
(3/3): rsyslog-8.2302.0.master-1676246565.x86_64.rpm 4.5 MB/s | 780 kB 00:00
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 4.6 MB/s | 815 kB 00:00
Adiscon RHEL-9 - daily stable packages for x86_64 24 kB/s | 3.3 kB 00:00
Importing GPG key 0x8F67EF64:
Userid : "Andre Lorbach (RPM Package signing key for rsyslog 2023) <alorbach@adiscon.com>"
Fingerprint: 3148 D134 973A BF51 5B2F 9E31 6B11 D5C7 8F67 EF64
From : https://rpms.adiscon.com/RPM-GPG-KEY-Adiscon
Key imported successfully
Importing GPG key 0xE00B8985:
Userid : "Andre Lorbach (RPM Signing Key) <alorbach@adiscon.com>"
Fingerprint: 712D 4E18 794D C570 E287 0861 E0F2 33B3 E00B 8985
From : https://rpms.adiscon.com/RPM-GPG-KEY-Adiscon
warning: Signature not supported. Hash algorithm SHA1 not available.
Key import failed (code 2). Failing package is: rsyslog-gnutls-8.2302.0.master-1676246565.x86_64
GPG Keys are configured as: https://rpms.adiscon.com/RPM-GPG-KEY-Adiscon
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'yum clean packages'.
Error: GPG check FAILED
It does work if I immediately run the yum install a second time however:
[root@ip-10-0-2-15 ~]# yum -y install rsyslog rsyslog-gnutls
Last metadata expiration check: 0:00:21 ago on Mon Feb 13 19:30:00 2023.
Package rsyslog-8.2102.0-105.el9.x86_64 is already installed.
Dependencies resolved.
========================================================================================================================================================================
Package Architecture Version Repository Size
========================================================================================================================================================================
Installing:
rsyslog-gnutls x86_64 8.2302.0.master-1676246565 rsyslog_v8 27 k
Upgrading:
rsyslog x86_64 8.2302.0.master-1676246565 rsyslog_v8 780 k
rsyslog-logrotate x86_64 8.2302.0.master-1676246565 rsyslog_v8 8.1 k
Transaction Summary
========================================================================================================================================================================
Install 1 Package
Upgrade 2 Packages
Total size: 815 k
Downloading Packages:
[SKIPPED] rsyslog-gnutls-8.2302.0.master-1676246565.x86_64.rpm: Already downloaded
[SKIPPED] rsyslog-8.2302.0.master-1676246565.x86_64.rpm: Already downloaded
[SKIPPED] rsyslog-logrotate-8.2302.0.master-1676246565.x86_64.rpm: Already downloaded
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Upgrading : rsyslog-logrotate-8.2302.0.master-1676246565.x86_64 1/5
Upgrading : rsyslog-8.2302.0.master-1676246565.x86_64 2/5
Running scriptlet: rsyslog-8.2302.0.master-1676246565.x86_64 2/5
Installing : rsyslog-gnutls-8.2302.0.master-1676246565.x86_64 3/5
Running scriptlet: rsyslog-8.2102.0-105.el9.x86_64 4/5
Cleanup : rsyslog-8.2102.0-105.el9.x86_64 4/5
Running scriptlet: rsyslog-8.2102.0-105.el9.x86_64 4/5
Cleanup : rsyslog-logrotate-8.2102.0-105.el9.x86_64 5/5
Running scriptlet: rsyslog-logrotate-8.2102.0-105.el9.x86_64 5/5
Verifying : rsyslog-gnutls-8.2302.0.master-1676246565.x86_64 1/5
Verifying : rsyslog-8.2302.0.master-1676246565.x86_64 2/5
Verifying : rsyslog-8.2102.0-105.el9.x86_64 3/5
Verifying : rsyslog-logrotate-8.2302.0.master-1676246565.x86_64 4/5
Verifying : rsyslog-logrotate-8.2102.0-105.el9.x86_64 5/5
Upgraded:
rsyslog-8.2302.0.master-1676246565.x86_64 rsyslog-logrotate-8.2302.0.master-1676246565.x86_64
Installed:
rsyslog-gnutls-8.2302.0.master-1676246565.x86_64
Complete!
If I manually import the new key by itself, everything installs with no issues. Any chance of getting a keyfile with just the new key in it, assuming that wouldn't be detrimental to anybody? I can work around this by manually importing the new key only via Ansible if not!
Thank you!
I will update all repositories by tomorrow than we will be able to remove the SHA1 key from the keyfile. But at the moment only RHEL9 and EPEL9 are using the new SHA Key.
Perfect, I think I'm good to go in that case. Thanks for the assistance Andre, much appreciated!
All packages have been resigned now, the old SHA1 is removed from the https://rpms.adiscon.com/RPM-GPG-KEY-Adiscon download. I tested RHEL7, RHEL8 and RHEL9 using the UBI Base Images, they all installed fine now with gpgcheck=1. Therefor I am closing this Issue, feel free to reopen it if you need further assistance.
I'm currently working through migrating from CentOS 7 to RHEL-9 compatible of some sort (likely RockyLinux 9 or AlmaLinux 9 since CentOS moved to the Stream model). We currently make use of the rsyslog repo via
baseurl=http://rpms.adiscon.com/v8-stable/epel-7/$basearch
on CentOS 7.While checking through items that could potentially cause issues in our Ansible config when upgrading from EL7 -> EL9, I noticed that we are not currently making use of
gpgcheck
. I just started this work today, so unfortunately I can't comment if the changes made in #125 is possibly causing this issue.Happy to do any additional testing or provide any additional context! Thank you!
Expected behavior
Package installation successful when setting
gpgcheck=1
Actual behavior
Package installation GPG check fails with the following message:
AlmaLinux 9 / Rocky Linux 9 [Fresh installs]:
CentOS 7 [Existing Server]:
Steps to reproduce the behavior
epel-9
, though that should feasibly be doing the same as the CentOSepel-$releasever
)/etc/yum.repos.d/rsyslog.repo
and setgpgcheck=1
yum -y install rsyslog-8.2212.0
oryum upgrade rsyslog-8.2212.0
Environment