Agent packages unsigned in Raw Edition

RealSoulskater · August 21, 2022, 2:03pm

Hi

I’m running the Raw edition of checkmk and from p9 the agent packages are unsigned and fail to install, since there is no Bake option in the Raw Edition, how should a go about to get the agent packages signed?

/Marcus

CMK version: 2.1.0p10
OS version: openSUSE 15.3

Error message:
check-mk-agent-2.1.0p10-1.noarch.rpm:
Package header is not signed!

check-mk-agent-2.1.0p10-1.noarch (Plain RPM files cache): Signature verification failed [6-File is unsigned]
Abort, retry, ignore? [a/r/i] (a): a
Problem occurred during or after installation or removal of packages:
Installation has been aborted as directed.
Please see the above error message for a hint.
cleaning old clients from storage…
Moving file to storage…

mike1098 · August 22, 2022, 1:38pm

Hi Marcus,

I guess thats not the signing of Agent Bakery but the signing of the RPM package. You may try to import to rpm checkmk GPG key from:

https://download.checkmk.com/checkmk/Check_MK-pubkey.gpg

try

rpm import https://download.checkmk.com/checkmk/Check_MK-pubkey.gpg

You even may ignore this
see RPM and GPG: How to verify Linux packages before installing them

BR

Michael

RealSoulskater · August 22, 2022, 2:15pm

Hi

I have imported the public key earlier but dit it again, but get the same error and yes it is the rpm package that it complains about.

Ran “rpm -K check-mk-agent-2.1.0p10-1.noarch.rpm” from the link you gave and it says it is ok.
check-mk-agent-2.1.0p10-1.noarch.rpm: digests OK

Did all the check from the link to verify package and pubkey, removed and imported the key again, same error.

I have the option to ignore, but rather not, kinda have it all automated and do not want to install manually or risk installing a compromized package, but maybe it just some files inside the package that is unsigned and the package is ok if it says “digest OK” on the RPM file?

BR

Marcus

mike1098 · August 22, 2022, 2:42pm

I have only Enterprise available but if I do a rpm --checksig I get a OK for all agent packages.
I know form earlier days we had to sign checkmk packages with our own gpg key, but nowadays I have not anymore this issue. Also colleagues from Linux OP team didnt complained about the installation and we installed already ~400 hosts.

BR

Michael

mike1098 · August 22, 2022, 3:11pm

Hello,

I verified that the RPM is signed with checkmk key in enterprise edition. May verify with your RAW edition:

# rpm -q --qf '%{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n' -p check-mk-enterprise-2.0.0p27-el7-38.x86_64.rpm
check-mk-enterprise-2.0.0p27-el7-38 RSA/SHA512, Wed 20 Jul 2022 09:07:59 AM CEST, Key ID 434dac48c4503261 (none)

You need the last 8 characters from the Key-ID:

[root@deaugwuxl0666 datex]# rpm -qa gpg-pubkey* | grep c4503261
gpg-pubkey-c4503261-5a76cb60

Then you can show the details about the signing GPG Key:

[root@deaugwuxl0666 datex]# rpm -qi gpg-pubkey-c4503261-5a76cb60
Name        : gpg-pubkey
Version     : c4503261
Release     : 5a76cb60
Architecture: (none)
Install Date: Mon 22 Aug 2022 05:02:10 PM CEST
Group       : Public Keys
Size        : 0
License     : pubkey
Signature   : (none)
Source RPM  : (none)
Build Date  : Sun 04 Feb 2018 09:59:12 AM CET
Build Host  : localhost
Relocations : (not relocatable)
Packager    : Check_MK Software Daily Build Signing Key (2018) <feedback@check-mk.org>
Summary     : gpg(Check_MK Software Daily Build Signing Key (2018) <feedback@check-mk.org>)
Description :

RealSoulskater · August 22, 2022, 4:06pm

Hi, this is what i got when running against the agent rpm package.

# rpm -q --qf '%{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n' -p check-mk-agent-2.1.0p10-1.noarch.rpm
check-mk-agent-2.1.0p10-1 (none) (none)

Do not seems to be signed if i read the output correct.

BR

Marcus

mike1098 · August 23, 2022, 7:02am

Ok, I see.Then you have only two options:

Sign the package with your own GPG key (Thats what we did in earlier times)
Ignore the signing while installing with option yum --nogpgcheck, rpm -i --nosignature or in the repo config.

Maybe someone else has a better solution?

regards

Michael

RealSoulskater · August 23, 2022, 8:34am

Thanks for your response and aid.

I will think about installing it unsigned to get it in phase with the server version, i just want to keep up some sense of security in my home network if possible.

Just hoping any devs reads this and get a fix out for this, it is an awsome monitoring software even for advanced home users like me.

Thanks

/Marcus

RealSoulskater · April 26, 2023, 6:15pm

Installed 2.1.0p26 today same issue with RPM package, is this by design that the RAW version do not have signed packages anymore?

/Marcus