RPMs in Plugin repository signed with unknown key

droa · September 17, 2024, 9:11am

Problem:
Historically the plugin rpms have not been signed.

The welcome page on the yum repo: https://yum.theforeman.org/ states:

“Plugin repos are not GPG signed.”

However the rpms now appear to be signed, but with an unknown key:

For example, from the 3.10 plugins repo:

[root@1b4c81775e21 foreman-plugins]$ rpm -qip rubygem-vault-doc-0.12.0-2.el9.noarch.rpm
warning: rubygem-vault-doc-0.12.0-2.el9.noarch.rpm: Header V4 RSA/SHA256 Signature, key ID 73883a2e: NOKEY
Name        : rubygem-vault-doc
Version     : 0.12.0
Release     : 2.el9
Architecture: noarch
Install Date: (not installed)
Group       : Documentation
Size        : 1461516
License     : MPL-2.0
Signature   : RSA/SHA256, Thu Feb 22 18:47:54 2024, Key ID e7ca9d1a73883a2e
Source RPM  : rubygem-vault-0.12.0-2.el9.src.rpm
Build Date  : Tue Jan 16 21:49:20 2024
Build Host  : copr-hv-x86-64-02-prod-01295871-20240116-212825
Vendor      : Fedora Copr - group @theforeman
URL         : https://github.com/hashicorp/vault-ruby
Summary     : Documentation for rubygem-vault
Description :
Documentation for rubygem-vault.

[root@1b4c81775e21 foreman-plugins]$ cat /etc/yum.repos.d/foreman-plugins.repo
[foreman-plugins]
name=Foreman plugins 3.10
baseurl=https://yum.theforeman.org/plugins/3.10/el9/$basearch
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-foreman

[foreman-plugins-source]
name=Foreman plugins 3.10 - source
baseurl=https://yum.theforeman.org/plugins/3.10/el9/source
enabled=0
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-foreman
[root@1b4c81775e21 foreman-plugins]$ rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-foreman
[root@1b4c81775e21 foreman-plugins]$ rpm --checksig --verbose  rubygem-vault-doc-0.12.0-2.el9.noarch.rpm
rubygem-vault-doc-0.12.0-2.el9.noarch.rpm:
    Header V4 RSA/SHA256 Signature, key ID 73883a2e: NOKEY
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V4 RSA/SHA256 Signature, key ID 73883a2e: NOKEY
    MD5 digest: OK
[root@1b4c81775e21 foreman-plugins]$ rpm -q --queryformat "%{SUMMARY}\n" $(rpm -q gpg-pubkey)
AlmaLinux OS 9 <packager@almalinux.org> public key
Foreman Automatic Signing Key (3.10) <packages@theforeman.org> public key

Expected outcome:

gpgkey in foreman-plugins.repo should match signing key and gpgcheck should be enabled

Foreman and Proxy versions:

3.10 (same in 3.12)

Foreman and Proxy plugin versions:

3.10 (same in 3.12)

Distribution and version:

Alma 9 (also RHEL 9)

droa · October 9, 2024, 6:50am

bump - does anyone have any information on this?

evgeni · October 9, 2024, 8:23am

That’s a key that is autogenerated by our build infra and we have no control over.
Please treat those packages as “unsiged” as before.

droa · October 9, 2024, 8:30am

Thanks for the explanation @evgeni - at least I understand why they are like that now.