Bug 1410638 - [RFE] Give Satellite the ability to select if repo metadata should be signed with the key provided for rpm verification
Summary: [RFE] Give Satellite the ability to select if repo metadata should be signed ...
Keywords:
Status: NEW
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Installer
Version: 6.2.2
Hardware: x86_64
OS: Linux
high
high
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: Devendra Singh
URL:
Whiteboard:
: 1531780 (view as bug list)
Depends On: 1589288
Blocks: 1784513
TreeView+ depends on / blocked
 
Reported: 2017-01-06 00:20 UTC by Rick Dixon
Modified: 2021-04-06 17:50 UTC (History)
64 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1589288 1784513 (view as bug list)
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)
Backported for Satellite 6.12 servers (15.97 KB, patch)
2017-12-23 19:14 UTC, Paul Donohue
no flags Details | Diff
Backported for Satellite 6.12 clients (3.40 KB, patch)
2017-12-23 19:14 UTC, Paul Donohue
no flags Details | Diff
Backported for Satellite 6.12 clients (1.71 KB, patch)
2018-01-05 00:16 UTC, Paul Donohue
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 26789 0 Normal New Support repo metadata signing 2021-02-19 11:22:51 UTC
Pulp Redmine 3055 0 Normal CLOSED - CURRENTRELEASE As a user, I can publish a Yum repository that works with repo_gpgcheck=1 2018-10-31 22:32:45 UTC

Comment 2 Shawn Wells 2017-03-24 17:39:27 UTC
Hello. The DoD has released the RHEL7 STIG, so this has now become an official requirement for US Government systems. This means every Satellite deployment to US DoD, or agencies that follow DoD guidance (e.g. System Integrators, like Booz and Lockheed) will now need special waivers to use Satellite.

Has there been any conversations on if/when this functionality will be developed and released for Satellite?

Comment 3 Scoots Hamilton 2017-04-11 22:52:30 UTC
Hello All, 

Scoots here. Is there any chance that we have been able to ascertain any information regarding this bug?

Thank you in advance! 

Scoots

Comment 4 It's me, really 2017-05-22 20:22:51 UTC
For your info, here is the direct stig requirement
##### SECTION 3 STIG requirement, CAT 1 (category 1) finding
#############################
### begin quoted text from current STIG
Group ID (Vulid):  V-71981
Group Title:  SRG-OS-000366-GPOS-00153
Rule ID:  SV-86605r1_rule
Severity: CAT I
 Rule Version (STIG-ID):  RHEL-07-020070
Rule Title: The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of packages without verification of the repository metadata.


Vulnerability Discussion:  Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.

Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.

Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved Certificate Authority.


Check Content:  
Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification of the repository metadata.

Check that yum verifies the package metadata prior to install with the following command:

# grep repo_gpgcheck /etc/yum.conf
repo_gpgcheck=1

If "repo_gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the metadata of local packages and other operating system components are verified. 

If there is no process to validate the metadata of packages that is approved by the organization, this is a finding.

Fix Text: Configure the operating system to verify the repository metadata by setting the following options in the "/etc/yum.conf" file:

repo_gpgcheck=1   

CCI: CCI-001749
### end quoted text from current stig
#############################

We have a case ID for this (01853464)

Comment 5 It's me, really 2017-05-22 20:23:44 UTC
sorry, ignore the line that says "section 3" in my previous post

Comment 6 It's me, really 2017-05-22 20:36:06 UTC
I've seen an article someone wrote for a non-satellite yum repo where they used:

gpg --detach-sign --armor repodata/repomd.xml

Apparently this command will create a file named repodata/repomd.xml.asc
which contains an ASCII version of the GPG signature of the
repository metadata file repomd.xml.

I'm highly reluctant to this run command for the affected complaints of the yum repos on on our satellite 6.2.9 servers because the impact could exceed the support we have from Red Hat.  

However, while that can be executed for a non-satellite repository, this doesn't mean it "should" be done for a satellite repository given the impact of the satellite being a supported product from Red Hat.  However, maybe this is something that could be considered along with the other facets associated with resolving this.

Comment 7 It's me, really 2017-05-23 14:32:52 UTC
Side note, for making this available for RHEL 7 in general (besides making it available for Satellite 6.2.current).  Today we created/presented an EPEL 7 repo locally and attempted to use the [gpg --detach-sign --armor /the_path/repodata/repomd.xml] and it fails when FIPS is enabled. 

We found a solution id at https://access.redhat.com/solutions/2130631  however it basically says to wait until RHEL 7.4.  I bring this up here even though this bugzilla is for satellite, it seems related if FIPS is considered in the solution ID https://access.redhat.com/solutions/2130631

Comment 8 It's me, really 2017-05-23 14:34:55 UTC
sorry, what really failed (last post), was the creation of the gpg key on RHEL 7.3, see the solution ID in my last post, apologies for the multiple posts here.

Comment 10 Shawn Wells 2017-10-09 20:25:28 UTC
Bump. Any movement on this? Setting needinfo from Dave Caplan (Satellite Product Mgmt).

Dave - Not sure who to direct the roadmap/status question to. Can you help point in the right direction?

Comment 11 Calvin Smith 2017-10-17 22:34:21 UTC
FYI someone has submitted code upstream to address this issue. 

https://github.com/pulp/pulp_rpm/pull/1065


I know the guy who submitted it and he works for a government customer that is affected by this issue, so any updates or status on this would be helpful.

Comment 12 agilmore2 2017-10-27 16:02:36 UTC
Opened Support case for application to my environment
https://access.redhat.com/support/cases/#/case/01961866

I thought this was a Satellite problem, as the repo_gpgcheck change was done by other tooling.

I encourage this missing feature to be included in Satellite 6.3 if at all possible!

Comment 14 Ashlee Burch 2017-10-30 17:09:08 UTC
Update from Customer:

This has been merged into upstream Pulp.  Relevant commits are:
https://github.com/pulp/pulp_rpm/commit/f73805f626d96596f9ae962ab6d787d2e001f02c
https://github.com/pulp/pulp_rpm/commit/5393773e361ed548b72696652f338b76908429d0
https://github.com/pulp/pulp_rpm/commit/b3e2dd8bd8c43abb4144cc9d7a121fec5e5f5899

With the exception of the documentation changes (which can be excluded), these commits apply cleanly to the Pulp v2.8.7.18 that is used by Satellite v6.2.12.

Any chance of getting these commits backported?

Comment 17 Paul Donohue 2017-12-23 19:12:38 UTC
The attached patches backport these changes to Satellite 6.12.  To use them:

On the Satellite server, run:
  sudo -s
  # Revert repo_gpgcheck.patch if it was previously applied
  yum reinstall pulp-rpm-plugins katello-installer-base
  rm -f /usr/share/katello-installer-base/modules/certs/manifests/repomd_gpg.pp
  # Apply repo_gpgcheck.patch
  cd /
  patch -p1 < ~/repo_gpgcheck.patch
  rm -f /usr/lib/python2.7/site-packages/pulp_rpm/plugins/distributors/yum/configuration.pyc /usr/lib/python2.7/site-packages/pulp_rpm/plugins/distributors/yum/configuration.pyo
  rm -f /usr/lib/python2.7/site-packages/pulp_rpm/plugins/distributors/yum/metadata/repomd.pyc /usr/lib/python2.7/site-packages/pulp_rpm/plugins/distributors/yum/metadata/repomd.pyo
  rm -f /usr/lib/python2.7/site-packages/pulp_rpm/plugins/distributors/yum/publish.pyc /usr/lib/python2.7/site-packages/pulp_rpm/plugins/distributors/yum/publish.pyo
  # Generate GPG key and build a new katello-ca-consumer RPM containing it
  satellite-installer --certs-enable-repomd-gpg=true --certs-repomd-gpg-name='satellite.example.com Repository Metadata Signing Key'
  # Sign existing repository metadata
  sudo -u apache -H -s
  cd /var/lib/pulp/published/yum/master/yum_distributor/
  for d in `ls` ; do pushd $d ; for e in `ls` ; do pushd $e/repomd >/dev/null ; echo $d/$e ; gpg --yes --detach-sign --armor repomd.xml ; popd >/dev/null ; done ; popd >/dev/null ; done
  exit

On each Satellite client, run:
  sudo -s
  # Revert repo_gpgcheck_client.patch if it was previously applied
  yum reinstall subscription-manager
  # Update /etc/rhsm/rhsm.conf
  perl -i -pe 's/baseurl= (.*)/baseurl = \1\n\n# Repository metadata GPG key URL:\nrepomd_gpg_url =/' /etc/rhsm/rhsm.conf
  # Apply repo_gpgcheck_client.patch
  cd /
  patch -p1 < ~/repo_gpgcheck_client.patch
  rm -f /usr/lib/python2.7/site-packages/subscription_manager/managercli.pyc /usr/lib/python2.7/site-packages/subscription_manager/managercli.pyo
  rm -f /usr/lib/python2.7/site-packages/subscription_manager/repolib.pyc /usr/lib/python2.7/site-packages/subscription_manager/repolib.pyo
  # Install the new katello-ca-consumer RPM
  rpm -Uvh http://example.satellite.com/pub/katello-ca-consumer-latest.noarch.rpm
  # Enable repo_gpgcheck
  echo repo_gpgcheck=1 >> /etc/yum.conf

Comment 18 Paul Donohue 2017-12-23 19:14:05 UTC
Created attachment 1371684 [details]
Backported for Satellite 6.12 servers

Comment 19 Paul Donohue 2017-12-23 19:14:30 UTC
Created attachment 1371685 [details]
Backported for Satellite 6.12 clients

Comment 20 Paul Donohue 2017-12-23 19:40:28 UTC
Er, I meant 6.2.12, not 6.12

Comment 21 Paul Donohue 2018-01-05 00:16:22 UTC
Created attachment 1377238 [details]
Backported for Satellite 6.12 clients

Comment 22 Kevin Howell 2018-01-05 20:55:12 UTC
This feature (once fully implemented) definitely needs documentation.

Leaving notes for documentation and/or tests...

`subscription-manager config --rhsm.repomd_gpg_url=${GPG_URL}` as well as setting  repo_gpgcheck to 1/true in yum.conf is necessary to get this to have an effect (from the yum/subscription-manager part of things).

Comment 29 Paul Donohue 2018-06-09 04:06:14 UTC
For anyone following along...

These are the relevant client-side (subscription-manager) changes:
https://github.com/candlepin/subscription-manager/commit/8236fefe942e4a32cb2c2565c63b15d3a9464855
https://github.com/candlepin/subscription-manager/commit/3cea0aa0963d87dd8f9c594330fc7167ad468330

These are the relevant server-side (pulp) changes:
https://github.com/pulp/pulp_rpm/commit/f73805f626d96596f9ae962ab6d787d2e001f02c
https://github.com/pulp/pulp_rpm/commit/5393773e361ed548b72696652f338b76908429d0
https://github.com/pulp/pulp_rpm/commit/b3e2dd8bd8c43abb4144cc9d7a121fec5e5f5899

Once the above changes make their way into a released version of Satellite, it will be possible to manually configure this functionality.

I'm still working on automating the configuration and gpg key generation in satellite-installer:
https://github.com/theforeman/puppet-pulp/commit/0829b2f50772fc095717e060dfb2e9c1a6952ec7
https://github.com/theforeman/puppet-certs/pull/188

Comment 31 Mike McCune 2018-06-22 16:10:43 UTC
Paul, appreciate the patches and will work to get these reviewed.

Comment 33 Robin Chan 2018-09-21 14:39:35 UTC
This may be a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1531780 
Documentation and katello integration w/ui changes are required in a addition to pulp changes implemented in https://pulp.plan.io/issues/3055

Comment 34 Paul Donohue 2018-09-26 20:35:08 UTC
1531780 is a duplicate of this bug.  Documentation and integration are implemented in the commits and PRs listed in comments 29 and 30 above.

Comment 35 pulp-infra@redhat.com 2018-10-31 22:32:47 UTC
The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.

Comment 36 pulp-infra@redhat.com 2018-10-31 22:33:02 UTC
The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.

Comment 37 pulp-infra@redhat.com 2018-10-31 23:02:39 UTC
All upstream Pulp bugs are at MODIFIED+. Moving this bug to POST.

Comment 38 Brad Buckingham 2018-11-06 20:48:59 UTC
*** Bug 1531780 has been marked as a duplicate of this bug. ***

Comment 39 Brad Buckingham 2018-11-06 20:53:19 UTC
Closed bug 1531870 as a duplicate of this one.

That bug does denote additional changes that are needed; however, they may have been addressed above.

Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1531780#c12

Comment 40 Brad Buckingham 2018-11-06 20:54:53 UTC
Moving back to 'NEW', changes beyond pulp are required.

Comment 41 pulp-infra@redhat.com 2018-11-06 21:02:49 UTC
All upstream Pulp bugs are at MODIFIED+. Moving this bug to POST.

Comment 42 Daniel Alley 2019-05-13 15:14:23 UTC
It looks like pulp-infra bot marked this BZ as POST improperly in comment #41 despite non-Pulp changes being required (comment #40).

Changing back to NEW.

Comment 48 jspringe 2019-08-28 15:11:15 UTC
Hello all. Just checking in on any updates regarding this request.

Thanks!
Josh

Comment 51 tankri01 2019-10-09 07:36:58 UTC
Also curious on the status of this issue.

Comment 53 Paul Donohue 2019-10-24 23:56:07 UTC
Status update:
The server-side changes in pulp are in Satellite 6.5 and later, and the client-side changes in subscription-manager are in 1.21.1 and later.
However, the server-side changes in satellite-installer still haven't been accepted upstream, and I haven't heard anything from the satellite-installer maintainers in over a year, so they seem to have forgotten about this.
See https://github.com/theforeman/puppet-pulp/pull/322 and https://github.com/theforeman/puppet-certs/pull/188 for the most recent discussions about the satellite-installer changes.

I haven't upgraded to Satellite 6.5 yet myself, but when I do that, I will try to remember to post updated instructions and an updated server-side patch for satellite-installer (similar to comment #17 above).

Comment 54 Paul Donohue 2019-11-20 01:05:23 UTC
Manual setup instructions on Satellite 6.5:

On the Satellite server, run:
  sudo -u apache -H -s
  # Generate GPG key
  gpg --gen-key
  # Use the default "RSA and RSA", "2048" bits, and "key does not expire"
  # values, and simply press "Enter" when prompted for a password.
  # "Repository Metadata Signing Key" is an appropriate real name.
  # Email address and comment can be left blank.
  gpg --armor --export --output /usr/share/httpd/.gnupg/repomd.gpg
  # Sign existing repository metadata
  cd /var/lib/pulp/published/yum/master/yum_distributor/
  for d1 in * ; do ( cd $d1 ; for d2 in * ; do ( cd $d2/repomd ; echo $d1/$d2 ; gpg --yes --detach-sign --armor repomd.xml ) ; done ) ; done
  exit
  sudo -s
  # Configure Pulp
  grep gpg_sign_metadata /etc/pulp/server/plugins.conf.d/yum_importer.json \
   || perl -i -0777 -pe 's/(max_speed.*?),?$/\1,\n\n    "gpg_sign_metadata": false/m' /etc/pulp/server/plugins.conf.d/yum_importer.json
  exit

Grab /usr/share/httpd/.gnupg/repomd.gpg from the Satellite server and deploy it to /etc/rhsm/ca/repomd.gpg on each Satellite client.

On each Satellite client, run:
  sudo -s
  # Update /etc/rhsm/rhsm.conf
  grep '^\s*repomd_gpg_url' /etc/rhsm/rhsm.conf \
   && perl -i -pe 's!repomd_gpg_url.*$!repomd_gpg_url = file:///etc/rhsm/ca/repomd.gpg!'
  grep '^\s*repomd_gpg_url' /etc/rhsm/rhsm.conf \
   || perl -i -pe 's!baseurl= (.*)!baseurl = \1\n\n# Repository metadata GPG key URL:\nrepomd_gpg_url = file:///etc/rhsm/ca/repomd.gpg!' /etc/rhsm/rhsm.conf
  # Update /etc/yum.conf
  grep '^\s*repo_gpgcheck' /etc/yum.conf \
   && perl -i -pe 's/repo_gpgcheck.*$/repo_gpgcheck=1/'
  grep '^\s*repo_gpgcheck' /etc/yum.conf \
   || echo repo_gpgcheck=1 >> /etc/yum.conf
  exit

Eventually (if my remaining pull requests are merged), 
`satellite-installer` will handle all of the Satellite server setup automatically, 
and the katello-ca-consumer RPM will handle repomd.gpg file deployment and rhsm.conf configuration automatically on Satellite clients,
so the only manual configuration will be the repo_gpgcheck=1 setting in /etc/yum.conf.

Comment 55 Paul Donohue 2019-11-20 01:07:01 UTC
Oops ... '"gpg_sign_metadata": false' should be '"gpg_sign_metadata": true'


Note You need to log in before you can comment on or make changes to this bug.