glpi-agent icon indicating copy to clipboard operation
glpi-agent copied to clipboard
verified publisher icon glpi-project

Linux installation with perl script fails on Red Hat family distributions with localpkg_gpgcheck enabled in /etc/dnf/dnf.conf

Open PlqnK opened this issue 1 year ago • 2 comments

Bug reporting acknowledgment

Yes, I read it

Professional support

None

Describe the bug

The glpi-agent RPM packages are not signed, but the perl installation script doesn't pass the --nogpgcheck flag to dnf when trying to install it, making dnf fail on installs where localpkg_gpgcheck = 1 has been configured in /etc/dnf/dnf.conf or /etc/yum.conf.

I'm not sure if localpkg_gpgcheck being true is the default on RHEL/CentOS Stream 9, but at least with the ANSSI-BP-028 minimal SCAP profile applied it is set (see https://static.open-scap.org/ssg-guides/ssg-rhel9-guide-anssi_bp28_minimal.html#xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages).

To reproduce

  1. Get a RHEL/CentOS Stream 9 machine running
  2. Add localpkg_gpgcheck = 1 in /etc/dnf/dnf.conf
  3. Download the latest published linux perl installation script
  4. Execute it with perl glpi-agent-X.X-linux-installer.pl
  5. Watch dnf refuse to install the downloaded RPM because the signature is missing

Expected behavior

dnf should not fail to install the downloaded glpi-agent RPM.

The RPM should ideally be signed and the perl script should import the RPM public signing key, but it may not be feasible in the foreseeable future so instead you could add the --nogpgcheck flag to the dnf install command here https://github.com/glpi-project/glpi-agent/blob/77f7cdda24aa6d14ba8800f6bb71a18b98f4526d/contrib/unix/installer/RpmDistro.pm#L139 like it’s done with the openSUSE installation --allow-unsigned-rpm just above.

Operating system

Linux

GLPI Agent version

v1.11

GLPI version

Not applicable

GLPIInventory plugin or other plugin version

Not applicable

Additional context

No response

PlqnK avatar Oct 21 '24 13:10 PlqnK

Hi @PlqnK

the question has still been discussed in this discussion: https://github.com/glpi-project/glpi-agent/discussions/723

To me, it's a bad idea to add --nogpgcheck as this will prevent also this check on dependencies even where it's not a problem.

But maybe adding --setopt=localpkg_gpgcheck=0 can work.

g-bougard avatar Oct 30 '24 15:10 g-bougard

I confirm this works. You can modify the installer this way:

sed -ie 's/dnf -y install/dnf -y install --setopt=localpkg_gpgcheck=0/' glpi-agent-1.11-linux-installer.pl

g-bougard avatar Oct 30 '24 15:10 g-bougard

Hi!

Sorry for taking so much time to respond.

the question has still been discussed in this discussion: #723

It didn't cross my mind to search in the discussions tab, I'll remember to do it next time!

I confirm this works. You can modify the installer this way:

sed -ie 's/dnf -y install/dnf -y install --setopt=localpkg_gpgcheck=0/' glpi-agent-1.11-linux-installer.pl

I ended up implementing it and it works as expected! Maybe it would be a good idea to set it as default in your installer like you already do for zypper? https://github.com/glpi-project/glpi-agent/blob/77f7cdda24aa6d14ba8800f6bb71a18b98f4526d/contrib/unix/installer/RpmDistro.pm#L138

PlqnK avatar Jan 21 '25 21:01 PlqnK