Linux installation with perl script fails on Red Hat family distributions with localpkg_gpgcheck enabled in /etc/dnf/dnf.conf

[PlqnK]

Bug reporting acknowledgment

Yes, I read it

Professional support

None

Describe the bug

The glpi-agent RPM packages are not signed, but the perl installation script doesn't pass the --nogpgcheck flag to dnf when trying to install it, making dnf fail on installs where localpkg_gpgcheck = 1 has been configured in /etc/dnf/dnf.conf or /etc/yum.conf.

I'm not sure if localpkg_gpgcheck being true is the default on RHEL/CentOS Stream 9, but at least with the ANSSI-BP-028 minimal SCAP profile applied it is set (see https://static.open-scap.org/ssg-guides/ssg-rhel9-guide-anssi_bp28_minimal.html#xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages).

To reproduce

1. Get a RHEL/CentOS Stream 9 machine running
2. Add localpkg_gpgcheck = 1 in /etc/dnf/dnf.conf
3. Download the latest published linux perl installation script
4. Execute it with perl glpi-agent-X.X-linux-installer.pl
5. Watch dnf refuse to install the downloaded RPM because the signature is missing

Expected behavior

dnf should not fail to install the downloaded glpi-agent RPM.

The RPM should ideally be signed and the perl script should import the RPM public signing key, but it may not be feasible in the foreseeable future so instead you could add the --nogpgcheck flag to the dnf install command here

glpi-agent/contrib/unix/installer/RpmDistro.pm

Line 139 in 77f7cdd

$self->{_dnf} ? "dnf -y install @rpms" : "";

like it’s done with the openSUSE installation --allow-unsigned-rpm just above.

Operating system

Linux

GLPI Agent version

v1.11

GLPI version

Not applicable

GLPIInventory plugin or other plugin version

Not applicable

Additional context

No response

[g-bougard]

Hi @PlqnK

the question has still been discussed in this discussion: #723

To me, it's a bad idea to add --nogpgcheck as this will prevent also this check on dependencies even where it's not a problem.

But maybe adding --setopt=localpkg_gpgcheck=0 can work.

[g-bougard]

I confirm this works. You can modify the installer this way:

sed -ie 's/dnf -y install/dnf -y install --setopt=localpkg_gpgcheck=0/' glpi-agent-1.11-linux-installer.pl

[PlqnK]

Hi!

Sorry for taking so much time to respond.

the question has still been discussed in this discussion: #723

It didn't cross my mind to search in the discussions tab, I'll remember to do it next time!

I confirm this works. You can modify the installer this way:

sed -ie 's/dnf -y install/dnf -y install --setopt=localpkg_gpgcheck=0/' glpi-agent-1.11-linux-installer.pl

I ended up implementing it and it works as expected! Maybe it would be a good idea to set it as default in your installer like you already do for zypper?

glpi-agent/contrib/unix/installer/RpmDistro.pm

Line 138 in 77f7cdd

$self->{_zypper} ? "zypper -n install -y --allow-unsigned-rpm @rpms" :