amazon-linux-2023 icon indicating copy to clipboard operation
amazon-linux-2023 copied to clipboard
verified publisher icon amazonlinux

[Bug] - not able to install/upgrade packages after enabling repo_gpgcheck

Open hyryo513 opened this issue 2 years ago • 11 comments

Describe the bug Not able to install/upgrade packages after enabling repo_gpgcheck

To Reproduce

Run below commands to enable repo_gpgcheck and try to install any package.

docker run -it amazonlinux:latest /bin/bash
sed -i 's/'repo_gpgcheck=0'/'repo_gpgcheck=1/g'' /etc/yum.repos.d/amazonlinux.repo
yum -y install tar

Observed the 403 error due to failed gpg check on the repodata

Amazon Linux 2023 re205% [=========================================] 260  B/s | Amazon Linux 2023 re205% [=========================================] 260  B/s | Amazon Linux 2023 repository                    114  B/s | 243  B     00:02    
Amazon Linux 2023 repository                    1.7 MB/s | 1.8 kB     00:00    
Amazon Linux 2023 repository                    182  B/s | 243  B     00:01    
Errors during downloading metadata for repository 'amazonlinux':
  - Status code: 403 for https://cdn.amazonlinux.com/al2023/core/guids/c21f02b8b6bcdc9593b87e257d8839676b3e1bd5ac90e4a9cabdceada709cc2a/x86_64/repodata/repomd.xml.asc (IP: 13.227.37.127)
Error: Failed to download metadata for repo 'amazonlinux': GPG verification is enabled, but GPG signature is not available. This may be an error or the repository does not support GPG verification: Status code: 403 for https://cdn.amazonlinux.com/al2023/core/guids/c21f02b8b6bcdc9593b87e257d8839676b3e1bd5ac90e4a9cabdceada709cc2a/x86_64/repodata/repomd.xml.asc (IP: 13.227.37.127)
Ignoring repositories: amazonlinux
No match for argument: tar
Error: Unable to find a match: tar

hyryo513 avatar May 03 '23 23:05 hyryo513

Confirmed. Looking at this now.

% docker run --rm -it amazonlinux:2023
bash-5.2#
bash-5.2# dnf update
...
Nothing to do.
Complete!
bash-5.2# sed -i 's/'repo_gpgcheck=0'/'repo_gpgcheck=1/g'' /etc/yum.repos.d/amazonlinux.repo
bash-5.2# dnf -y install tar
Amazon Linux 2023 repository                                                                                                                         1.7 MB/s | 1.8 kB     00:00
Importing GPG key 0xD832C631:
 Userid     : "Amazon Linux <[email protected]>"
 Fingerprint: B21C 50FA 44A9 9720 EAA7 2F7F E951 904A D832 C631
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023
Amazon Linux 2023 repository                                                                                                                         128  B/s | 243  B     00:01
Amazon Linux 2023 repository                                                                                                                         1.7 MB/s | 1.8 kB     00:00
Amazon Linux 2023 repository                                                                                                                         207  B/s | 243  B     00:01
Errors during downloading metadata for repository 'amazonlinux':
  - Status code: 403 for https://cdn.amazonlinux.com/al2023/core/guids/526492536dfaa842617fe15b566bbd04ea052950e4ab0e3e626b4e8905b9ee32/x86_64/repodata/repomd.xml.asc (IP: 204.246.191.101)
Error: Failed to download metadata for repo 'amazonlinux': GPG verification is enabled, but GPG signature is not available. This may be an error or the repository does not support GPG verification: Status code: 403 for https://cdn.amazonlinux.com/al2023/core/guids/526492536dfaa842617fe15b566bbd04ea052950e4ab0e3e626b4e8905b9ee32/x86_64/repodata/repomd.xml.asc (IP: 204.246.191.101)
Ignoring repositories: amazonlinux
No match for argument: tar
Error: Unable to find a match: tar

halfdime-code avatar May 04 '23 01:05 halfdime-code

The AL2023 repos currently don't have metadata signing enabled. The packages themselves are signed, and communicating with the repos is done via https.

Let's keep this issue open so we can track when we enable this functionality.

stewartsmith avatar May 04 '23 01:05 stewartsmith

is there any updates on this? This issue fails CIS & NIST controls.

tburow avatar Oct 05 '23 19:10 tburow

Bump. We too would like to know if there's been any update on this? We're having to exclude a section of our CIS hardening that enables repo_gpgcheck, which isn't ideal.

devinmitchell avatar Oct 19 '23 14:10 devinmitchell

To quote the CIS Amazon Linux 2023 Benchmark v1.0:

Take care to set this value to false (default) for particular repositories that do not support it.

Currently, that includes the AL2023 repositories that do not support it.

The CIS Benchmark for AL2023 does take care to indicate that it should only be set for repositories that support it.

stewartsmith avatar Oct 19 '23 22:10 stewartsmith

Best workaround to fix this , use below command to disable gpg_check sudo sed -i 's#repo_gpgcheck=1#repo_gpgcheck=0#' /etc/yum.repos.d/kernel-livepatch.repo sudo sed -i 's#repo_gpgcheck=1#repo_gpgcheck=0#' /etc/yum.repos.d/amazonlinux.repo

ntndash avatar Mar 13 '24 06:03 ntndash

Setting disabling gpg_check option aside, are there plans for Amazon Linux repositories to enable metadata signing?

mmeytin avatar Jul 26 '24 16:07 mmeytin

Maybe those can help: PSA for all RHEL/CentOS admins: enable repo_gpgcheck=1 for all repos NOW

cve-2021-20271, so as for the vulnerability report, this issue doesn't affect RHEL9, so if you are using RHEL9, its enough to add repo_gpgcheck=1 for /etc/dnf/dnf.conf , and remove it from /etc/yum.conf (this worked for me)

aldokimi avatar Sep 12 '24 10:09 aldokimi

Setting disabling gpg_check option aside, are there plans for Amazon Linux repositories to enable metadata signing?

I do n't think so , recently had a call with aws support that bug is still not fixed

ntndash avatar Sep 12 '24 11:09 ntndash

Has anyone heard any updates on this issue?

devinmitchell avatar Jan 23 '25 15:01 devinmitchell