The packages we download from the ubi repos for subscription-manager are not being gpg checked. This is because the tools we use at various points in the process do not (or cannot) perform checking.

1. We download the packages with yumdownloader. yumdownloader could perform checking but does not. I believe this is because yumdownloader does not open the rpm file at all, it only looks at the yum repomd to determine which rpm file on the server corresponds with the package name we specify and then it retrieves that file.
2. We install the downloaded rpm packages with yum or dnf. Yum and dnf will complain if a package is signed with a key it knows about but the signature is invalid (example: someone has taken a properly signed package and tampered with the payload) but they won't complain if the local package file is not signed at all or is signed with an unknown key.
3. We import the redhat releases gpg key. This is also the gpg key used for signing ubi packages. Merely importing the gpg key does nothing to check packages. Importing this key at this stage is for use with the RHEL packages we retrieve from the subscription-manager configured repositories.

To remedy this, we should switch to using dnf install directly from the dnf ubi repository instead of downloading the packages first and then doing a local install with dnf.

Note: We decided not to do it in the following way:
To remedy this, we should insert a new step prior to installing the packages. We should run rpm --checksig on the rpm package files to make sure their gpg signatures are valid. If any signature is invalid, we need to fail the conversion because the package may be malicious.

This is not easily exploitable since we are using https URLs for the UBI repos. So an attacker would have to gain access to our CDN and upload malicious packages there in order to exploit us. However, doing gpg checking in addition to using https is part of a defense in depth strategy so we should add it to make us more resistant to attacks.

The related bugzilla issue: https://bugzilla.redhat.com/show_bug.cgi?id=2086827

Acceptance criteria:

• We use dnf to install subscription-manager directly from the https://ftp.redhat.com/redhat/client-tools/ repositories (RHELDST-18254) instead of downloading the packages first and then doing a local install with dnf
  • The use of the new public client-tools repository brings an important improvement - we now have access to sub-man package versions corresponding to specific RHEL minor versions. That was not the case with UBI - there we had access only to the latest version for the particular RHEL major version. With this we shall remove some of the workarounds for errors that stemmed from us installing versions of sub-man intended for a different RHEL minor version:
    • https://github.com/oamg/convert2rhel/pull/494
    • https://github.com/oamg/convert2rhel/blob/v1.6.1/convert2rhel/subscription.py#L783