Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unsigned packages can't be installed on systems that support gpg key checking #630

Open
mesgme opened this issue May 20, 2019 · 3 comments
Open

Unsigned packages can't be installed on systems that support gpg key checking #630

mesgme opened this issue May 20, 2019 · 3 comments

Comments

@mesgme
Copy link

mesgme commented May 20, 2019

Expected Behavior

Should install without error

Current Behavior

   [2019-05-20T14:59:31+00:00] ERROR: yum_package[sensu] (sensu::_linux line 82) had an error: Chef::Exceptions::Exec: yum -d0 -e0 -y install sensu-0.26.5-2 returned 1:
   STDOUT:
   STDERR:

   Package sensu-0.26.5-2.el5.x86_64.rpm is not signed

Steps to Reproduce (for bugs)

Run kitchen converge with a centos 6.8 vagrant provisioner.

Context

Unble to install sensu

Your Environment

  • Version of this cookbook used:
  • Version of Sensu used: sensu-0.26.5-2
  • Version of Chef used: chef-12.22.3
  • Operating System and version (e.g. CentOS 7, Ubuntu 14.04): CentOS 6.8
@majormoses
Copy link
Contributor

@mesgme That is a very old version of sensu and I am pretty sure that was before the packages were signed. Can you validate if you see the same with a recent version?

@mesgme
Copy link
Author

mesgme commented Jun 21, 2019

Thanks for getting back to me Ben. Yes it is old however that's the version they've standardised on at work.

It seems like the line
repo.gpgcheck(true) if repo.respond_to?(:gpgcheck)
in _linux.rb

looks like checks that the repo supports gpg checking and is therefore set to true, but that particular package isn't signed and so there's an issue.

I've hacked a fix to always set gpgchecking to false in a private fork. A more robust solution would be to either:
Catch the error when the package is not signed and set gpgcheck(false)
or
Allow the gpg check to be set in attributes and then honoured in this check.

If either seem appropriate let me know - I can make the change via PR then you can approve if you think it's worth it.

@majormoses
Copy link
Contributor

repo.gpgcheck(true) if repo.respond_to?(:gpgcheck)

I believe this is actually not meant to test the package if it supports gpg its to test if the resource itself supports gpg keychecks. Perhaps something along the lines of (pseudo code):

repo.gpgcheck(true) if repo.respond_to?(:gpgcheck) && sensu_version >= first_signed_version

I'd certainly accept a PR that implements that properly.

@majormoses majormoses changed the title Package is not signed Unsigned packages can't be installed on systems that support gpg key checking Jun 22, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@majormoses @mesgme