Install doc for SUSE has issues, prompt with ominous error, 'File 'repomd.xml' from repository 'graylog' is unsigned'

[drewmiranda-gl]

Via https://go2docs.graylog.org/5-0/downloading_and_installing_graylog/suse_installation.htm

1. importing key fails, does not do what it claims it does

Command rpm --import https://packages.graylog2.org/repo/debian/keyring.gpg fails with:

error: https://packages.graylog2.org/repo/debian/keyring.gpg: key 1 not an armored public key.

This does appear to be caused by importing a binary debian key when the proper key is an el (enterprise linux, rhel) ascii key. I tried to look back at past versions of documentation but this command appears to have been present for many years.

Bernd offered the following which does "work" without error though i don't think the command does what the documentation is stating (importing a key that can be referenced via a package repo).

sudo rpm --import https://downloads.graylog.org/repo/el/stable/GPG-KEY-graylog

2. repo is 'repomd.xml' from repository 'graylog' is unsigned

When either installing graylog, via sudo zypper install graylog-server OR even doing a repo update via sudo zypper ref the following WARNING is presented:

Retrieving repository 'graylog' metadata ----------------------------------------------------------------------------[|]
Warning: File 'repomd.xml' from repository 'graylog' is unsigned.

    Note: Signing data enables the recipient to verify that no modifications occurred after the data
    were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
    and in extreme cases even to a system compromise.

    Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
    whole repo.

    Warning: We can't verify that no one meddled with this file, so it might not be trustworthy
    anymore! You should not continue unless you know it's safe.

File 'repomd.xml' from repository 'graylog' is unsigned, continue? [yes/no] (no):

I could not find any way whatsoever to resolve this error. I'm also not certain or not if this error was always present. I can infer from the GPG command the intention is to have the repo work correctly without warnings, but this is not currently the case. I wasn't able to find much information about this in terms of if this is just a configuration issue on the client side with the repo and signing key(s), OR an issue with the repo itself. Need help from dev/eng to reivew and resolve.

Expected Behavior

Documentation for graylog should work as described, and without errors and issues.

Current Behavior

Several errors and warning are present. Unclear if this is "working as expected" and the user is meant to continue through the errors or not. IMO this should not be the case and we shouldn't be instructing people to ignore errors nor warnings, especially about repo security.

Possible Solution

Review the install docs for SUSE, update accordingly. If we can't support SUSE, we should document that. (NOTE that this doesn't mean graylog won't work and users cannot install it, just that its not a recommended/preferred OS to use)

Steps to Reproduce (for bugs)

Testing with SLES 15 SP3.

Context

Reported via Graylog Community forum.

Your Environment

Suse Linux Enterprise Server (SLES) 15 SP3.

[rkmbaxed]

Download the gpgkey from https://github.com/Graylog2/fpm-recipes/blob/5.0/recipes/graylog-repository/files/rpm/RPM-GPG-KEY-graylog and use it with the repository should work.

[graylog]
name=graylog
baseurl=https://packages.graylog2.org/repo/el/stable/5.0/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-graylog

[drewmiranda-gl]

Download the gpgkey from https://github.com/Graylog2/fpm-recipes/blob/5.0/recipes/graylog-repository/files/rpm/RPM-GPG-KEY-graylog and use it with the repository should work.

[graylog]
name=graylog
baseurl=https://packages.graylog2.org/repo/el/stable/5.0/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-graylog

I tried and this seems to give the same warning. Not sure if i'm missing something.

[drewmiranda-gl]

Keeping track of this coming up via community:

• https://community.graylog.org/t/sles-installation-is-failing/28770
• https://community.graylog.org/t/graylog-installation-is-failing/29052

[drewmiranda-gl]

Abe also brought this up on slack.

[okwute419]

What's the resolution? Is sudo rpm --import https://downloads.graylog.org/repo/el/stable/GPG-KEY-graylog the correct command? Does Zypper auto-accept gpg keys, hence, step 1 for importing keys as documented here is unnecessary. Is the warning msg --> Warning: File 'repomd.xml' from repository 'graylog' is unsigned expected behavior after import?

[drewmiranda-gl]

Is sudo rpm --import https://downloads.graylog.org/repo/el/stable/GPG-KEY-graylog the correct command?

it is.

Does Zypper auto-accept gpg keys

It appears to. I have very little first hand experience with suse but in testing, the rpm --import command didn't seem to change the outcome and i was still able to install graylog-server.

Is the warning msg --> Warning: File 'repomd.xml' from repository 'graylog' is unsigned expected

at this time it is expected. I did get confirmation that we don't sign the repo metadata which is what causes this warning. I've asked for it to be reviewed and addressed internally. For the meantime, we will update our documentation to include a note communicating this.