Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Linux installation with perl script fails on Red Hat family distributions with localpkg_gpgcheck enabled in /etc/dnf/dnf.conf #797

Open
PlqnK opened this issue Oct 21, 2024 · 2 comments
Open

Linux installation with perl script fails on Red Hat family distributions with localpkg_gpgcheck enabled in /etc/dnf/dnf.conf #797

PlqnK opened this issue Oct 21, 2024 · 2 comments
Labels
duplicate This issue or pull request already exists help wanted Extra attention is needed

Comments

@PlqnK
Copy link

PlqnK commented Oct 21, 2024
edited
Loading

Bug reporting acknowledgment

Yes, I read it

Professional support

None

Describe the bug

The glpi-agent RPM packages are not signed, but the perl installation script doesn't pass the --nogpgcheck flag to dnf when trying to install it, making dnf fail on installs where localpkg_gpgcheck = 1 has been configured in /etc/dnf/dnf.conf or /etc/yum.conf.

I'm not sure if localpkg_gpgcheck being true is the default on RHEL/CentOS Stream 9, but at least with the ANSSI-BP-028 minimal SCAP profile applied it is set (see https://static.open-scap.org/ssg-guides/ssg-rhel9-guide-anssi_bp28_minimal.html#xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages).

To reproduce

  1. Get a RHEL/CentOS Stream 9 machine running
  2. Add localpkg_gpgcheck = 1 in /etc/dnf/dnf.conf
  3. Download the latest published linux perl installation script
  4. Execute it with perl glpi-agent-X.X-linux-installer.pl
  5. Watch dnf refuse to install the downloaded RPM because the signature is missing

Expected behavior

dnf should not fail to install the downloaded glpi-agent RPM.

The RPM should ideally be signed and the perl script should import the RPM public signing key, but it may not be feasible in the foreseeable future so instead you could add the --nogpgcheck flag to the dnf install command here

glpi-agent/contrib/unix/installer/RpmDistro.pm

Line 139 in 77f7cdd

$self->{_dnf} ? "dnf -y install @rpms" : "";
like it’s done with the openSUSE installation --allow-unsigned-rpm just above.

Operating system

Linux

GLPI Agent version

v1.11

GLPI version

Not applicable

GLPIInventory plugin or other plugin version

Not applicable

Additional context

No response
@PlqnK PlqnK added the bug Something isn't working label Oct 21, 2024
@g-bougard g-bougard added help wanted Extra attention is needed duplicate This issue or pull request already exists and removed bug Something isn't working labels Oct 30, 2024
@g-bougard
Copy link
Member

g-bougard commented Oct 30, 2024
edited
Loading

Hi @PlqnK

the question has still been discussed in this discussion: #723

To me, it's a bad idea to add --nogpgcheck as this will prevent also this check on dependencies even where it's not a problem.

But maybe adding --setopt=localpkg_gpgcheck=0 can work.

@g-bougard
Copy link
Member

I confirm this works. You can modify the installer this way:

sed -ie 's/dnf -y install/dnf -y install --setopt=localpkg_gpgcheck=0/' glpi-agent-1.11-linux-installer.pl

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate This issue or pull request already exists help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@PlqnK @g-bougard