Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] - not able to install/upgrade packages after enabling repo_gpgcheck #336

Open
hyryo513 opened this issue May 3, 2023 · 6 comments
Open

[Bug] - not able to install/upgrade packages after enabling repo_gpgcheck #336

hyryo513 opened this issue May 3, 2023 · 6 comments
Labels
bug Something isn't working

Comments

@hyryo513
Copy link

hyryo513 commented May 3, 2023
edited
Loading

Describe the bug
Not able to install/upgrade packages after enabling repo_gpgcheck

To Reproduce

Run below commands to enable repo_gpgcheck and try to install any package.

docker run -it amazonlinux:latest /bin/bash
sed -i 's/'repo_gpgcheck=0'/'repo_gpgcheck=1/g'' /etc/yum.repos.d/amazonlinux.repo
yum -y install tar

Observed the 403 error due to failed gpg check on the repodata

Amazon Linux 2023 re205% [=========================================] 260  B/s | Amazon Linux 2023 re205% [=========================================] 260  B/s | Amazon Linux 2023 repository                    114  B/s | 243  B     00:02    
Amazon Linux 2023 repository                    1.7 MB/s | 1.8 kB     00:00    
Amazon Linux 2023 repository                    182  B/s | 243  B     00:01    
Errors during downloading metadata for repository 'amazonlinux':
  - Status code: 403 for https://cdn.amazonlinux.com/al2023/core/guids/c21f02b8b6bcdc9593b87e257d8839676b3e1bd5ac90e4a9cabdceada709cc2a/x86_64/repodata/repomd.xml.asc (IP: 13.227.37.127)
Error: Failed to download metadata for repo 'amazonlinux': GPG verification is enabled, but GPG signature is not available. This may be an error or the repository does not support GPG verification: Status code: 403 for https://cdn.amazonlinux.com/al2023/core/guids/c21f02b8b6bcdc9593b87e257d8839676b3e1bd5ac90e4a9cabdceada709cc2a/x86_64/repodata/repomd.xml.asc (IP: 13.227.37.127)
Ignoring repositories: amazonlinux
No match for argument: tar
Error: Unable to find a match: tar
@halfdime-code
Copy link

Confirmed. Looking at this now.

% docker run --rm -it amazonlinux:2023
bash-5.2#
bash-5.2# dnf update
...
Nothing to do.
Complete!
bash-5.2# sed -i 's/'repo_gpgcheck=0'/'repo_gpgcheck=1/g'' /etc/yum.repos.d/amazonlinux.repo
bash-5.2# dnf -y install tar
Amazon Linux 2023 repository                                                                                                                         1.7 MB/s | 1.8 kB     00:00
Importing GPG key 0xD832C631:
 Userid     : "Amazon Linux <amazon-linux@amazon.com>"
 Fingerprint: B21C 50FA 44A9 9720 EAA7 2F7F E951 904A D832 C631
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023
Amazon Linux 2023 repository                                                                                                                         128  B/s | 243  B     00:01
Amazon Linux 2023 repository                                                                                                                         1.7 MB/s | 1.8 kB     00:00
Amazon Linux 2023 repository                                                                                                                         207  B/s | 243  B     00:01
Errors during downloading metadata for repository 'amazonlinux':
  - Status code: 403 for https://cdn.amazonlinux.com/al2023/core/guids/526492536dfaa842617fe15b566bbd04ea052950e4ab0e3e626b4e8905b9ee32/x86_64/repodata/repomd.xml.asc (IP: 204.246.191.101)
Error: Failed to download metadata for repo 'amazonlinux': GPG verification is enabled, but GPG signature is not available. This may be an error or the repository does not support GPG verification: Status code: 403 for https://cdn.amazonlinux.com/al2023/core/guids/526492536dfaa842617fe15b566bbd04ea052950e4ab0e3e626b4e8905b9ee32/x86_64/repodata/repomd.xml.asc (IP: 204.246.191.101)
Ignoring repositories: amazonlinux
No match for argument: tar
Error: Unable to find a match: tar

@halfdime-code halfdime-code added the bug Something isn't working label May 4, 2023
@stewartsmith
Copy link
Member

The AL2023 repos currently don't have metadata signing enabled. The packages themselves are signed, and communicating with the repos is done via https.

Let's keep this issue open so we can track when we enable this functionality.

@tburow
Copy link

tburow commented Oct 5, 2023

is there any updates on this? This issue fails CIS & NIST controls.

@devinmitchell
Copy link

Bump. We too would like to know if there's been any update on this? We're having to exclude a section of our CIS hardening that enables repo_gpgcheck, which isn't ideal.

@tburow tburow mentioned this issue Oct 19, 2023
Closed
@stewartsmith
Copy link
Member

To quote the CIS Amazon Linux 2023 Benchmark v1.0:

Take care to set this value to false (default) for particular repositories that do not support it.

Currently, that includes the AL2023 repositories that do not support it.

The CIS Benchmark for AL2023 does take care to indicate that it should only be set for repositories that support it.

@ntndash
Copy link

ntndash commented Mar 13, 2024
edited
Loading

Best workaround to fix this , use below command to disable gpg_check
sudo sed -i 's#repo_gpgcheck=1#repo_gpgcheck=0#' /etc/yum.repos.d/kernel-livepatch.repo
sudo sed -i 's#repo_gpgcheck=1#repo_gpgcheck=0#' /etc/yum.repos.d/amazonlinux.repo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@stewartsmith @tburow @devinmitchell @hyryo513 @ntndash @halfdime-code