RPM is not signed #32
Comments
|
Since it's been over a year, I forked this project and published an alternative to Galaxy. https://github.com/deekayen/al-agents-ansible-playbooks has a kludge, some updates, and Molecule testing until I can get Alert Logic to publish the GPG key so we can do a proper key import and/or validation task. |
deekayen
added a commit
to deekayen/al-agents-ansible-playbooks
that referenced
this issue
May 16, 2022
Import Alert Logic GPG key, validate the fingerprint, verify RPM.
|
Something like this would probably be sufficient for RHEL 8/9: In tasks/install_agent.yml: - name: Import Alert Logic Atlas GPG key.
ansible.builtin.rpm_key:
key: "{{ al_agent_gpg_key }}"
fingerprint: "{{ al_agent_gpg_fingerprint }}"
state: present
when:
- ansible_os_family == "RedHat"In vars/RedHat.yml: al_agent_gpg_key: "{{ al_agent_base_url }}/software/al-agent-pkg-key.asc"
al_agent_gpg_fingerprint: '9a2a3e9a817127b121b2b2fb00802f0e0186cc36' |
|
Public contributions are welcome! Anyone can submit a Pull Request for features and further OS support. We will review them and publish them once approved. Please follow the guidelines in the Readme and we will happily review and test them on our end. https://github.com/alertlogic/al-agents-ansible-playbooks#contributing |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This ansible role fails on Amazon Linux 2 instances due to an unsigned package.
Amazon Linux 2 instances have
gpgcheck=1configured by default.As implemented, this role does not work on Amazon Linux 2, or any system with
gpgcheck=1enabled.Workaround: switch from
packagetoyumfor RedHat and explicitly setdisable_gpg_check: trueIt seems that a security product should expect to be installed on a securely configured instance.
Given the recent debacle with Solarwinds, it is somewhat scary to install vendors unsigned packages.
The text was updated successfully, but these errors were encountered: