[uyuni-users] spacewalk-repo-sync - repomd.xml
Hello all. I've recently came over form spacewalk to suse manager, and found an issue, regarding spacewalk-repo-sync, because some of my inhouse software providers do not sign their repomd.xml file: # spacewalk-repo-sync --channel inhousechannel 06:42:48 ====================================== 06:42:48 | Channel: inhousechannel 06:42:48 ====================================== 06:42:48 Sync of channel started. Preparing custom SSL CAPATH at /var/cache/rhn/reposync/.ssl-certs/1 Retrieving repository 'inhousechannel' metadata ----------------------------------------------------------------[] Warning: File 'repomd.xml' from repository 'inhousechannel' is unsigned. Note: Signing data enables the recipient to verify that no modifications occurred after the data were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system and in extreme cases even to a system compromise. Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the whole repo. Warning: We can't verify that no one meddled with this file, so it might not be trustworthy anymore! You should not continue unless you know it's safe. File 'repomd.xml' from repository 'inhousechannel' is unsigned, continue? [yes/no] (no): If i press y, the sync will occur, but i was wondering if there is a flag i can pass for the missing xml signature being ignored? I know that is a BAD security error to do so, but at the present i really do not have any choice. Can you help me please? Thanks Nuno
On Thu, May 28, 2020 at 1:57 PM Nuno Higgs
Hello all.
I've recently came over form spacewalk to suse manager, and found an issue, regarding spacewalk-repo-sync, because some of my inhouse software providers do not sign their repomd.xml file:
# spacewalk-repo-sync --channel inhousechannel
06:42:48 ======================================
06:42:48 | Channel: inhousechannel
06:42:48 ======================================
06:42:48 Sync of channel started.
Preparing custom SSL CAPATH at /var/cache/rhn/reposync/.ssl-certs/1
Retrieving repository 'inhousechannel' metadata ----------------------------------------------------------------[]
Warning: File 'repomd.xml' from repository 'inhousechannel' is unsigned.
Note: Signing data enables the recipient to verify that no modifications occurred after the data
were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system and in extreme cases even to a system compromise.
Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the whole repo.
Warning: We can't verify that no one meddled with this file, so it might not be trustworthy anymore! You should not continue unless you know it's safe.
File 'repomd.xml' from repository 'inhousechannel' is unsigned, continue? [yes/no] (no):
If i press y, the sync will occur, but i was wondering if there is a flag i can pass for the missing xml signature being ignored?
I know that is a BAD security error to do so, but at the present i really do not have any choice.
Can you help me please?
This is technically a behavioral breakage and shouldn't have happened. GPG checking the metadata will fail for virtually all non-SUSE repositories, because it's *really* uncommon to sign the repository metadata. This should be fixed. :( -- 真実はいつも一つ!/ Always, there's only one truth! -- To unsubscribe, e-mail: uyuni-users+unsubscribe@opensuse.org To contact the owner, e-mail: uyuni-users+owner@opensuse.org
On jueves, 28 de mayo de 2020 20:00:18 (CEST) Neal Gompa wrote:
This is technically a behavioral breakage and shouldn't have happened. GPG checking the metadata will fail for virtually all non-SUSE repositories, because it's *really* uncommon to sign the repository metadata. This should be fixed. :(
Oh, sorry. I just replied and didn't see this message. I woulder why this is happening. I synced Oracle repositories last week and CentOS repositories not a long time ago, and I don't remember this failure. But according to what you just said, it should happen if syncing Oracle and CentOS, right? -- Julio González Gil Release Engineer, SUSE Manager and Uyuni jgonzalez@suse.com
Hello, No. They are internal repos of company. The dev team builds the apps, and them publishes them via RPM to a yum repo. In the regular spacewalk we did not have this warning. Thanks, Nuno -----Original Message----- From: Julio González Gil [mailto:jgonzalez@suse.com] Sent: 28 May 2020 19:32 To: uyuni-users@opensuse.org Cc: Neal Gompa; Nuno Higgs Subject: Re: [uyuni-users] spacewalk-repo-sync - repomd.xml On jueves, 28 de mayo de 2020 20:00:18 (CEST) Neal Gompa wrote:
This is technically a behavioral breakage and shouldn't have happened. GPG checking the metadata will fail for virtually all non-SUSE repositories, because it's *really* uncommon to sign the repository metadata. This should be fixed. :(
Oh, sorry. I just replied and didn't see this message. I woulder why this is happening. I synced Oracle repositories last week and CentOS repositories not a long time ago, and I don't remember this failure. But according to what you just said, it should happen if syncing Oracle and CentOS, right? -- Julio González Gil Release Engineer, SUSE Manager and Uyuni jgonzalez@suse.com -- To unsubscribe, e-mail: uyuni-users+unsubscribe@opensuse.org To contact the owner, e-mail: uyuni-users+owner@opensuse.org
Short term (ugly! and dangerous!) you could consider using the command 'yes' https://www.howtogeek.com/415535/how-to-use-the-yes-command-on-linux/ Or if you want to answer yes only to that question, you could consider a expect script https://likegeeks.com/expect-command/ AFAIK we don't have an endpoint on the API to do this, and neither is supported by spacecmd. In the end the solutions above are hacks so... Maybe you can create an issue? I guess that if there's enough community interest, an implementation could be considered. Not sure how hard it will be. So far I know https://github.com/uyuni-project/ uyuni/blob/master/backend/satellite_tools will require changes (spacewalk- repo-sync, reposync.py, yum_src.py and not sure if part of the Java code). If you are somehow faimilar with Python, you could also consider having a look and try a PR :-) However implementing it is maybe not that hard On jueves, 28 de mayo de 2020 19:56:58 (CEST) Nuno Higgs wrote:
Hello all.
I've recently came over form spacewalk to suse manager, and found an issue, regarding spacewalk-repo-sync, because some of my inhouse software providers do not sign their repomd.xml file:
# spacewalk-repo-sync --channel inhousechannel
06:42:48 ======================================
06:42:48 | Channel: inhousechannel
06:42:48 ======================================
06:42:48 Sync of channel started.
Preparing custom SSL CAPATH at /var/cache/rhn/reposync/.ssl-certs/1
Retrieving repository 'inhousechannel' metadata ----------------------------------------------------------------[]
Warning: File 'repomd.xml' from repository 'inhousechannel' is unsigned.
Note: Signing data enables the recipient to verify that no modifications occurred after the data
were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system and in extreme cases even to a system compromise.
Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the whole repo.
Warning: We can't verify that no one meddled with this file, so it might not be trustworthy anymore! You should not continue unless you know it's safe.
File 'repomd.xml' from repository 'inhousechannel' is unsigned, continue? [yes/no] (no):
If i press y, the sync will occur, but i was wondering if there is a flag i can pass for the missing xml signature being ignored?
I know that is a BAD security error to do so, but at the present i really do not have any choice.
Can you help me please?
Thanks Nuno
-- Julio González Gil Release Engineer, SUSE Manager and Uyuni jgonzalez@suse.com
Hi
What product (Uyuni or SUSE Manager?) and version are we talking about?
This may have been introduced in Uyuni 2020.03 or Uyuni 2020.04 (can't really remember) when we added support for signed Debian metadata but I think we have fixed that already.
Thank you
Pau Garcia Quiles
SUSE Manager Product Owner & Technical Project Manager
Phone: +1 385-666-5608
SUSE Software Solutions Spain
________________________________
De: Nuno Higgs
Hi,
When a new repository is created, the option "Has Signed Metadata?:" is enabled by default.
Have you unselected it for your inhousechannel repository ?
Regards,
Philippe.
Philippe Bidault | Unix Engineer
Getronics
________________________________
M. 34617301667 | E. Philippe.Bidault@Getronics.com | W. www.getronics.com
Getronics CMC Service Desk Iberia S.L - VAT No:S.L.: B66686262.
Registered Office - Getronics CMC Service Desk Iberia S.L, C/Rosselloi, Porcel, 21 planta 11, 08016 Barcelona, Spain.
The information transmitted is intended only for use by the addressee and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material. Thank you.
Legal disclaimer: http://www.getronics.com/legal/
From: Pau Garcia Quiles
Hello Philippe,
Perfect. It was this. I didn't notice the option when I configured the repo.
Thanks a lot for your help!
Thank all for all your help!
--
Kindly,
Nuno
From: Bidault, Philippe [mailto:Philippe.Bidault@Getronics.com]
Sent: 28 May 2020 20:54
To: Pau Garcia Quiles; Nuno Higgs; uyuni-users@opensuse.org
Subject: RE: [uyuni-users] spacewalk-repo-sync - repomd.xml
Hi,
When a new repository is created, the option "Has Signed Metadata?:" is
enabled by default.
Have you unselected it for your inhousechannel repository ?
Regards,
Philippe.
Philippe Bidault | Unix Engineer
Getronics
_____
M. 34617301667 | E. Philippe.Bidault@Getronics.com
mailto:Philippe.Bidault@Getronics.com | W. www.getronics.com
http://www.getronics.com
Getronics CMC Service Desk Iberia S.L - VAT No:S.L.: B66686262.
Registered Office - Getronics CMC Service Desk Iberia S.L, C/Rosselloi,
Porcel, 21 planta 11, 08016 Barcelona, Spain.
The information transmitted is intended only for use by the addressee and
may contain confidential and/or privileged material. Any review,
re-transmission, dissemination or other use of it, or the taking of any
action in reliance upon this information by persons and/or entities other
than the intended recipient is prohibited. If you received this in error,
please inform the sender and/or addressee immediately and delete the
material. Thank you.
Legal disclaimer: http://www.getronics.com/legal/
http://www.getronics.com/legal/
From: Pau Garcia Quiles
; uyuni-users@opensuse.org mailto:uyuni-users@opensuse.org Subject: RE: [uyuni-users] spacewalk-repo-sync - repomd.xml
CAUTION: This email originated from outside of the organization. Do not
click links or open attachments unless you recognize the sender and know the
content is safe.
Hi
What product (Uyuni or SUSE Manager?) and version are we talking about?
This may have been introduced in Uyuni 2020.03 or Uyuni 2020.04 (can't
really remember) when we added support for signed Debian metadata but I
think we have fixed that already.
Thank you
Pau Garcia Quiles
SUSE Manager Product Owner & Technical Project Manager
Phone: +1 385-666-5608
SUSE Software Solutions Spain
_____
De: Nuno Higgs
Glad it solve your issue.
Perhaps that it would be good to have this option disabled by default ?
Regards,
Philippe.
From: Nuno Higgs
On viernes, 29 de mayo de 2020 10:40:01 (CEST) Bidault, Philippe wrote:
Glad it solve your issue.
Perhaps that it would be good to have this option disabled by default ?
Or at the very least, we should consider improving the message spacewalk-repo- sync gives you:
Retrieving repository 'inhousechannel' metadata ----------------------------------------------------------------[]
Warning: File 'repomd.xml' from repository 'inhousechannel' is unsigned.
Note: Signing data enables the recipient to verify that no modifications occurred after the data were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system and in extreme cases even to a system compromise.
Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the whole repo.
Warning: We can't verify that no one meddled with this file, so it might not be trustworthy anymore! You should not continue unless you know it's safe.
File 'repomd.xml' from repository 'inhousechannel' is unsigned, continue? [yes/no] (no):
And mention that if this is correct, you should consider disabling the "signed mentadata" open on the repository. Problem is... I am pretty sure this comes not from Uyuni but from the package manager. @Pablo: any idea?
Regards, Philippe.
From: Nuno Higgs
Sent: viernes, 29 de mayo de 2020 10:38 To: Bidault, Philippe ; 'Pau Garcia Quiles' ; uyuni-users@opensuse.org Subject: RE: [uyuni-users] spacewalk-repo-sync - repomd.xml CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hello Philippe,
Perfect. It was this. I didn't notice the option when I configured the repo. Thanks a lot for your help!
Thank all for all your help!
-- Kindly, Nuno
From: Bidault, Philippe [mailto:Philippe.Bidault@Getronics.com] Sent: 28 May 2020 20:54 To: Pau Garcia Quiles; Nuno Higgs; uyuni-users@opensuse.orgmailto:uyuni-users@opensuse.org Subject: RE: [uyuni-users] spacewalk-repo-sync - repomd.xml
Hi,
When a new repository is created, the option "Has Signed Metadata?:" is enabled by default. Have you unselected it for your inhousechannel repository ?
Regards, Philippe.
Philippe Bidault | Unix Engineer
Getronics
________________________________ M. 34617301667 | E. Philippe.Bidault@Getronics.commailto:Philippe.Bidault@Getronics.com | W. www.getronics.comhttp://www.getronics.com
Getronics CMC Service Desk Iberia S.L - VAT No:S.L.: B66686262. Registered Office - Getronics CMC Service Desk Iberia S.L, C/Rosselloi, Porcel, 21 planta 11, 08016 Barcelona, Spain.
The information transmitted is intended only for use by the addressee and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material. Thank you. Legal disclaimer: http://www.getronics.com/legal/ From: Pau Garcia Quiles
mailto:pau.garcia@suse.com> Sent: jueves, 28 de mayo de 2020 21:13 To: Nuno Higgs mailto:suse@labs.nuneshiggs.com>; uyuni-users@opensuse.orgmailto:uyuni-users@opensuse.org Subject: RE: [uyuni-users] spacewalk-repo-sync - repomd.xml CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi
What product (Uyuni or SUSE Manager?) and version are we talking about?
This may have been introduced in Uyuni 2020.03 or Uyuni 2020.04 (can't really remember) when we added support for signed Debian metadata but I think we have fixed that already.
Thank you
Pau Garcia Quiles SUSE Manager Product Owner & Technical Project Manager Phone: +1 385-666-5608 SUSE Software Solutions Spain
________________________________ De: Nuno Higgs
mailto:suse@labs.nuneshiggs.com> Enviado: jueves, 28 de mayo de 2020 19:56 Para: uyuni-users@opensuse.orgmailto:uyuni-users@opensuse.org mailto:uyuni-users@opensuse.org> Asunto: [uyuni-users] spacewalk-repo-sync - repomd.xml Hello all.
I've recently came over form spacewalk to suse manager, and found an issue, regarding spacewalk-repo-sync, because some of my inhouse software providers do not sign their repomd.xml file:
# spacewalk-repo-sync --channel inhousechannel
06:42:48 ======================================
06:42:48 | Channel: inhousechannel
06:42:48 ======================================
06:42:48 Sync of channel started.
Preparing custom SSL CAPATH at /var/cache/rhn/reposync/.ssl-certs/1
Retrieving repository 'inhousechannel' metadata ----------------------------------------------------------------[]
Warning: File 'repomd.xml' from repository 'inhousechannel' is unsigned.
Note: Signing data enables the recipient to verify that no modifications occurred after the data
were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system and in extreme cases even to a system compromise.
Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the whole repo.
Warning: We can't verify that no one meddled with this file, so it might not be trustworthy anymore! You should not continue unless you know it's safe.
File 'repomd.xml' from repository 'inhousechannel' is unsigned, continue? [yes/no] (no):
If i press y, the sync will occur, but i was wondering if there is a flag i can pass for the missing xml signature being ignored?
I know that is a BAD security error to do so, but at the present i really do not have any choice.
Can you help me please?
Thanks Nuno [cid:image001.png@01D635A5.805C7FF0]http://www.getronics.com/ [cid:image002.png@01D635A5.805C7FF0]<https://www.linkedin.com/company/207778 5> [cid:image003.png@01D635A5.805C7FF0] https://twitter.com/Getronics [cid:image004.png@01D635A5.805C7FF0] https://www.youtube.com/user/getronicsonline?feature=results_main sign-info
-- Julio González Gil Release Engineer, SUSE Manager and Uyuni jgonzalez@suse.com
On Fri, May 29, 2020 at 5:43 AM Julio González Gil
On viernes, 29 de mayo de 2020 10:40:01 (CEST) Bidault, Philippe wrote:
Glad it solve your issue.
Perhaps that it would be good to have this option disabled by default ?
Or at the very least, we should consider improving the message spacewalk-repo- sync gives you:
Retrieving repository 'inhousechannel' metadata ----------------------------------------------------------------[]
Warning: File 'repomd.xml' from repository 'inhousechannel' is unsigned.
Note: Signing data enables the recipient to verify that no modifications occurred after the data were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system and in extreme cases even to a system compromise.
Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the whole repo.
Warning: We can't verify that no one meddled with this file, so it might not be trustworthy anymore! You should not continue unless you know it's safe.
File 'repomd.xml' from repository 'inhousechannel' is unsigned, continue? [yes/no] (no):
And mention that if this is correct, you should consider disabling the "signed mentadata" open on the repository.
Problem is... I am pretty sure this comes not from Uyuni but from the package manager.
@Pablo: any idea?
This is definitely coming from Zypper. It's a Zypper-style message and I know from personal experience how annoying it is to get it to not do that. :( -- 真実はいつも一つ!/ Always, there's only one truth! -- To unsubscribe, e-mail: uyuni-users+unsubscribe@opensuse.org To contact the owner, e-mail: uyuni-users+owner@opensuse.org
Hello,
The version is 4.1.8-1.2.uyuni.noarch (the existing today on the suse
repos).
Thanks for your help.
Nuno
From: Pau Garcia Quiles [mailto:pau.garcia@suse.com]
Sent: 28 May 2020 20:13
To: Nuno Higgs; uyuni-users@opensuse.org
Subject: RE: [uyuni-users] spacewalk-repo-sync - repomd.xml
Hi
What product (Uyuni or SUSE Manager?) and version are we talking about?
This may have been introduced in Uyuni 2020.03 or Uyuni 2020.04 (can't
really remember) when we added support for signed Debian metadata but I
think we have fixed that already.
Thank you
Pau Garcia Quiles
SUSE Manager Product Owner & Technical Project Manager
Phone: +1 385-666-5608
SUSE Software Solutions Spain
_____
De: Nuno Higgs
participants (5)
-
Bidault, Philippe
-
Julio González Gil
-
Neal Gompa
-
Nuno Higgs
-
Pau Garcia Quiles