Unsigned packages can't be installed on systems that support gpg key checking
Opened this issue · 3 comments
Expected Behavior
Should install without error
Current Behavior
[2019-05-20T14:59:31+00:00] ERROR: yum_package[sensu] (sensu::_linux line 82) had an error: Chef::Exceptions::Exec: yum -d0 -e0 -y install sensu-0.26.5-2 returned 1:
STDOUT:
STDERR:
Package sensu-0.26.5-2.el5.x86_64.rpm is not signed
Steps to Reproduce (for bugs)
Run kitchen converge with a centos 6.8 vagrant provisioner.
Context
Unble to install sensu
Your Environment
- Version of this cookbook used:
- Version of Sensu used: sensu-0.26.5-2
- Version of Chef used: chef-12.22.3
- Operating System and version (e.g. CentOS 7, Ubuntu 14.04): CentOS 6.8
@mesgme That is a very old version of sensu and I am pretty sure that was before the packages were signed. Can you validate if you see the same with a recent version?
Thanks for getting back to me Ben. Yes it is old however that's the version they've standardised on at work.
It seems like the line
repo.gpgcheck(true) if repo.respond_to?(:gpgcheck)
in _linux.rb
looks like checks that the repo supports gpg checking and is therefore set to true, but that particular package isn't signed and so there's an issue.
I've hacked a fix to always set gpgchecking to false in a private fork. A more robust solution would be to either:
Catch the error when the package is not signed and set gpgcheck(false)
or
Allow the gpg check to be set in attributes and then honoured in this check.
If either seem appropriate let me know - I can make the change via PR then you can approve if you think it's worth it.
repo.gpgcheck(true) if repo.respond_to?(:gpgcheck)
I believe this is actually not meant to test the package if it supports gpg its to test if the resource itself supports gpg keychecks. Perhaps something along the lines of (pseudo code):
repo.gpgcheck(true) if repo.respond_to?(:gpgcheck) && sensu_version >= first_signed_version
I'd certainly accept a PR that implements that properly.