Missing GPG key on CentOS 7 packages?

[Andrew Alles]

Hi folks,

I've just tried installing Passenger 5.1.2 via yum on a CentOS 7 system, and yum is griping that the packages are missing signatures. Has something gone awry with my Yum keyring or is something up with the repo? 

yumdownloader passenger 

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile

Package passenger-5.1.2-1.el7.x86_64.rpm is not signed      0% [                                                  ]  0.0 B/s |    0 B  --:--:-- ETA

passenger-5.1.2-1.el7.x86_64.rpm

I don't think it's my system, because when I pull down an RPM manually with wget and try inspecting the metadata I can't find a signature on it. 

rpm -qp passenger-5.0.10-8.el7.x86_64.rpm --qf "%{SIGPGP} %{PUBKEYS} %{SIGGPG}\n"

(none) (none) (none)

Anything else can I can try? 

[Daniel Knoppel]

Are you using official Phusion packages?

https://www.phusionpassenger.com/library/install/nginx/install/oss/el7/

- Daniel

[Andrew Alles]

I think so, here's the .repo I use:

[passenger]

name=passenger

baseurl=https://oss-binaries.phusionpassenger.com/yum/passenger/el/$releasever/$basearch

repo_gpgcheck=1

gpgcheck=0

enabled=1

gpgkey=https://packagecloud.io/gpg.key

sslverify=1

sslcacert=/etc/pki/tls/certs/ca-bundle.crt

[passenger-source]

name=passenger-source

baseurl=https://oss-binaries.phusionpassenger.com/yum/passenger/el/$releasever/SRPMS

repo_gpgcheck=1

gpgcheck=0

enabled=1

gpgkey=https://packagecloud.io/gpg.key

sslverify=1

sslcacert=/etc/pki/tls/certs/ca-bundle.crt

[Daniel Knoppel]

Actually, why don't you use -K for signature verification? It succeeds here:

rpm -K passenger-5.1.2-1.el7.x86_64.rpm 

passenger-5.1.2-1.el7.x86_64.rpm: sha1 md5 OK

- Daniel

[Tommy McNeely]

You are missing the PGP signature. It was there previously, for example passenger-4.0.53-4.el7.x86_64 and mod_passenger-4.0.53-4.el7.x86_64.

# rpm -K passenger-4.0.53-4.el7.x86_64.rpm

passenger-4.0.53-4.el7.x86_64.rpm: rsa sha1 (md5) pgp md5 OK

# rpm -K mod_passenger-4.0.53-4.el7.x86_64.rpm

mod_passenger-4.0.53-4.el7.x86_64.rpm: rsa sha1 (md5) pgp md5 OK

https://blog.packagecloud.io/eng/2014/11/24/howto-gpg-sign-verify-rpm-packages-yum-repositories/

Perhaps something happened between the 4.x and the 5.x build scripts where the gpg commands were missed? commented for whatever reason? 

~tommy

[Daniel Knoppel]

Hi Tommy, are those RPM's from Phusion? We introduced RPMs in 2015, and 4.0.53 is from 2014.

AFAIK our RPMs have never been signed with embedded signatures.

- Daniel

[Tommy McNeely]

Hi Daniel,

Sorry for my mistake. Apparently, the "puppetlabs-apache" module installed "passenger" from EPEL before we were able to get your repository added, and I only noticed the issue when we tried to do updates. The repository name may be slightly off because we mirror it internally using pulp, but EPEL was where we got 4.0.53 from. I still think the RPMs should be GPG signed, as per my previous reply, but it was my mistake thinking that 4.0.53 was produced by Phusion. :)

# yum info passenger
Loaded plugins: fastestmirror
Trying other mirror.

Loading mirror speeds from cached hostfile

Installed Packages
Name        : passenger
Arch        : x86_64
Version     : 4.0.53
Release     : 4.el7
Size        : 5.9 M
Repo        : installed
From repo   : centos-7-x86_64-epel
Summary     : Phusion Passenger application server
URL         : https://www.phusionpassenger.com
License     : Boost and BSD and BSD with advertising and MIT and zlib
Description : Phusion Passenger® is a web server and application server, designed to be fast,
            : robust and lightweight. It takes a lot of complexity out of deploying web apps,
            : adds powerful enterprise-grade features that are useful in production,
            : and makes administration much easier and less complex. It supports Ruby,
            : Python, Node.js and Meteor.


Available Packages
Name        : passenger
Arch        : x86_64
Version     : 5.1.2
Release     : 1.el7
Size        : 1.7 M
Repo        : passenger-centos7-x86_64
Summary     : Phusion Passenger application server
URL         : https://www.phusionpassenger.com
License     : Boost and BSD and BSD with advertising and MIT and zlib
Description : Phusion Passenger® is a web server and application server, designed to be fast,
            : robust and lightweight. It takes a lot of complexity out of deploying web apps,
            : adds powerful enterprise-grade features that are useful in production,
            : and makes administratio

~tommy

[Andrew Alles]

D'oh, that is indeed what happened to me too. (But I think packages should be signed too ;) ) 

[Hongli Lai]

Duly noted w.r.t. that you guys think packages (not just the
repository) should be signed too. :)

> --
> You received this message because you are subscribed to the Google Groups
> "Phusion Passenger Discussions" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to phusion-passen...@googlegroups.com.
> To post to this group, send email to phusion-...@googlegroups.com.
> Visit this group at https://groups.google.com/group/phusion-passenger.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/phusion-passenger/ca2cf8f7-c8ca-4507-a839-5d0abdafb00b%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.



--
Phusion B.V. | Web Application deployment, scaling, and monitoring solutions

Web: http://www.phusion.nl/
E-mail: in...@phusion.nl
Chamber of commerce no: 63501007 (The Netherlands)