Uploaded image for project: 'RHEL Conversions'
  1. RHEL Conversions
  2. RHELC-601 Install subscription-manager directly through yum
  3. RHELC-1317

Install subscription-manager directly through yum - Integration tests

XMLWordPrintable

    • Icon: Sub-task Sub-task
    • Resolution: Done
    • Icon: Major Major
    • 2.0.0
    • None
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • 0
    • 2024-R2
    • Testable

      The parent issue RHELC-601 has the label that triggered autocreation of this subtask to track the relative story point estimation for the integration test part of the issue.

      The parent issue description at the time of creation of this issue was:
      The packages we download from the ubi repos for subscription-manager are not being gpg checked. This is because the tools we use at various points in the process do not (or cannot) perform checking.

      1. We download the packages with yumdownloader. yumdownloader could perform checking but does not. I believe this is because yumdownloader does not open the rpm file at all, it only looks at the yum repomd to determine which rpm file on the server corresponds with the package name we specify and then it retrieves that file.
      2. We install the downloaded rpm packages with yum or dnf. Yum and dnf will complain if a package is signed with a key it knows about but the signature is invalid (example: someone has taken a properly signed package and tampered with the payload) but they won't complain if the local package file is not signed at all or is signed with an unknown key.
      3. We import the redhat releases gpg key. This is also the gpg key used for signing ubi packages. Merely importing the gpg key does nothing to check packages. Importing this key at this stage is for use with the RHEL packages we retrieve from the subscription-manager configured repositories.

      To remedy this, we should switch to using dnf install directly from the dnf ubi repository instead of downloading the packages first and then doing a local install with dnf.

      Note: We decided not to do it in the following way:
      To remedy this, we should insert a new step prior to installing the packages. We should run rpm --checksig on the rpm package files to make sure their gpg signatures are valid. If any signature is invalid, we need to fail the conversion because the package may be malicious.

      This is not easily exploitable since we are using https URLs for the UBI repos. So an attacker would haveto gain access to our CDN and upload malicious packages there in order to exploit us. However, doing gpg checking in addition to using https is part of a defense in depth strategy so we should add it to make us more resistant to attacks.

      The related bugzilla issue: https://bugzilla.redhat.com/show_bug.cgi?id=2086827

      Acceptance criteria:

      • we use dnf to install subscription-manager directly from the dnf ubi repository instead of downloading the packages first and then doing a local install with dnf

              Unassigned Unassigned
              rhel-process-autobot RHEL Jira bot
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: