GPG Verification Failure for CloudWatch Agent on RHEL 8

[onedownsixup]

Describe the bug

The problem arises when attempting to install the CloudWatch agent on RHEL 8 using Ansible. The GPG verification for the agent fails, preventing successful installation, even after importing the GPG key.

Steps to reproduce

1. Attempt to install the CloudWatch agent on RHEL 8 using Ansible.
2. Import the GPG key using the module ansible.builtin.rpm_key.
3. Try to install the agent using the module ansible.builtin.dnf.

What did you expect to see?

The CloudWatch agent should be installed successfully, verified by the GPG key already imported to the RPM using the module ansible.builtin.rpm_key.

What did you see instead?

The installation fails with the following error message when trying to install using the ansible.builtin.dnf module:

Failed to validate GPG signature for amazon-cloudwatch-agent-1.300041.0b681-1.x86_64: Package _amazon-cloudwatch-agent.rpm is not signed

What version did you use?

Version: 1.300041.0b681

Environment

OS: Red Hat Enterprise Linux 8

Additional context

Following the AWS documentation, it appears that the installer does not match the GPG key imported. Since the GPG verification fails, the installation cannot proceed. This issue persists even after downloading the latest version of the agent and importing the GPG key as mentioned in the documentation.

From the details provided below, it looks like the amazon-ssm-agent package is signed correctly, but the amazon-cloudwatch-agent package is not signed at all:

# rpm -qpi amazon-ssm-agent.rpm

Name        : amazon-ssm-agent
Version     : 3.3.551.0
Release     : 1
Architecture: x86_64
Install Date: (not installed)
Group       : Amazon/Tools
Size        : 119275951
License     : Apache License, Version 2.0
Signature   : RSA/SHA1, Fri 14 Jun 2024 07:06:18 PM UTC, Key ID bc1f495c97dd04ed
Source RPM  : amazon-ssm-agent-3.3.551.0-1.src.rpm
Build Date  : Fri 14 Jun 2024 06:03:04 PM UTC
Build Host  : build.amazon.com
Relocations : (not relocatable)
Packager    : Amazon.com, Inc. <http://aws.amazon.com>
Vendor      : Amazon.com
URL         : http://docs.aws.amazon.com/ssm/latest/APIReference/Welcome.html
Summary     : Manage EC2 Instances using SSM APIs
Description :
This package provides Amazon SSM Agent for managing EC2 Instances using SSM APIs

# rpm -qpi amazon-cloudwatch-agent.rpm

Name        : amazon-cloudwatch-agent
Version     : 1.300041.0b681
Release     : 1
Architecture: x86_64
Install Date: (not installed)
Group       : Applications/CloudWatch-Agent
Size        : 422303104
License     : MIT License. Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
Signature   : (none)
Source RPM  : amazon-cloudwatch-agent-1.300041.0b681-1.src.rpm
Build Date  : Mon 10 Jun 2024 05:35:01 PM UTC
Build Host  : ip-172-31-23-244.us-west-2.compute.internal
Relocations : (not relocatable)
Summary     : Amazon CloudWatch Agent
Description :
This package provides daemon of Amazon CloudWatch Agent

[okankoAMZ]

Hello!
Thank you for reaching out. I am currently trying to re-create this issue.

[okankoAMZ]

Hello!
I was unable to re-create this issue. Could you show me what commands you used to download the signature? Could you also try the latest version of CloudWatch Agent to see if this issue proceed?

[github-actions]

This issue was marked stale due to lack of activity.

[mike-buckler]

I am experiencing this exact same issue. In the past we've been able to use Ansible to deploy the cloud watch agent without issue. However, we are now seeing this same behavior where the package shows as unsigned. Here are the commands I used for testing:

[root@localhost STAGE S:E ~]# curl https://amazoncloudwatch-agent.s3.amazonaws.com/assets/amazon-cloudwatch-agent.gpg -o amazon-cloudwatch-agent.gpg
[root@localhost STAGE S:E ~]# curl https://amazoncloudwatch-agent.s3.amazonaws.com/redhat/amd64/latest/amazon-cloudwatch-agent.rpm.sig -o amazon-cloudwatch-agent.rpm.sig
[root@localhost STAGE S:E ~]# curl https://amazoncloudwatch-agent.s3.amazonaws.com/redhat/amd64/latest/amazon-cloudwatch-agent.rpm -o amazon-cloudwatch-agent.rpm

[root@localhost STAGE S:E ~]# gpg --import amazon-cloudwatch-agent.gpg
gpg: key D58167303B789C72: "Amazon CloudWatch Agent" not changed
gpg: Total number processed: 1
gpg: unchanged: 1

[root@localhost STAGE S:E ~]# gpg --fingerprint D58167303B789C72
pub rsa2048 2017-11-14 [SC]
9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72
uid [ unknown] Amazon CloudWatch Agent

[root@localhost STAGE S:E ~]# gpg --verify amazon-cloudwatch-agent.rpm.sig amazon-cloudwatch-agent.rpm
gpg: Signature made Wed 06 Nov 2024 09:02:46 PM EST
gpg: using RSA key D58167303B789C72
gpg: Good signature from "Amazon CloudWatch Agent" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9376 16F3 450B 7D80 6CBD 9725 D581 6730 3B78 9C72

[root@localhost STAGE S:E ~]# rpm -qpi amazon-cloudwatch-agent.rpm
Name : amazon-cloudwatch-agent
Version : 1.300049.1b929
Release : 1
Architecture: x86_64
Install Date: (not installed)
Group : Applications/CloudWatch-Agent
Size : 331527776
License : MIT License. Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
Signature : (none)
Source RPM : amazon-cloudwatch-agent-1.300049.1b929-1.src.rpm
Build Date : Wed 06 Nov 2024 08:30:04 PM EST
Build Host : ip-172-31-62-29.us-west-2.compute.internal
Relocations : (not relocatable)
Summary : Amazon CloudWatch Agent
Description :
This package provides daemon of Amazon CloudWatch Agent

This is worrying since we dont have a signed version of this package available to us anymore.