On the security topic, just figured I would share here, as it does go into the whole, "make sure your code is signed, and end users don't bypass the security checks".

https://www.darkreading.com/attacks-breaches/cisa-zoho-manageengine-rce-bug-under-active-exploit


Nicholas Jahn
IT professional
A.S. Network Specialist (www.madisoncollege.edu)

From: Troy Dawson <tdawson@redhat.com>
Sent: Monday, September 26, 2022 12:41 PM
To: EPEL Development List <epel-devel@lists.fedoraproject.org>
Subject: [EPEL-devel] Re: EPEL RHEL 9 mirror error
 
That is a very good point.
I think the following are better steps
  rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-9
  dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm

Troy
On Mon, Sep 26, 2022 at 10:28 AM Nick Jahn <nick.jahn@hotmail.com> wrote:
Wouldn't it be a better option to show in the documentation how to download and install the GPG key first, so you don't have to use the nogpgcheck option? Security people like secure options better. 😉

Nicholas Jahn
IT professional
A.S. Network Specialist (www.madisoncollege.edu)

From: Troy Dawson <tdawson@redhat.com>
Sent: Monday, September 26, 2022 11:46 AM
To: EPEL Development List <epel-devel@lists.fedoraproject.org>
Subject: [EPEL-devel] Re: EPEL RHEL 9 mirror error
 
I was able to reproduce the error.
If you do a RHEL install, and select a security profile, it will automatically turn on gpg checking for everything.[1]
You then get the error you were showing.

To get around this you need to add the --nogpgcheck option

  dnf install --nogpgcheck https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm

Thank you for letting us know.  We'll be sure to update the documentation.

Troy



On Mon, Sep 26, 2022 at 7:25 AM Nick Jahn <nick.jahn@hotmail.com> wrote:
I will wipe out this VM, and re-install RHEL 9 and see if it happens again. I already know it isn't security based issues, as none of my systems caught anything (I'm a Security Architect), and I was able to download the GPG key using WGET, and install it using RPM --import.

I'm fairly certain the issue was that the GPG key was not getting deployed. 

Nicholas Jahn
IT professional
A.S. Network Specialist (www.madisoncollege.edu)

From: Stephen Smoogen <ssmoogen@redhat.com>
Sent: Monday, September 26, 2022 8:59 AM
To: EPEL Development List <epel-devel@lists.fedoraproject.org>
Subject: [EPEL-devel] Re: EPEL RHEL 9 mirror error
 


On Mon, 26 Sept 2022 at 09:31, Nick Jahn <nick.jahn@hotmail.com> wrote:
Tried that, still getting GPG check FAILED. It seems that the security key is not getting deployed correctly.

I manually went to the EPEL repo path https://dl.fedoraproject.org/pub/epel/ and found the EPEL 9 Key, downloaded it and installed the key, and now the connection is working. The reason I reached out in the first place was to let you know that the deployment was not working as designed, as I know the EPEL Key is supposed to download and install when you perform the installation of the REPO (which was not happening). This needs to be fixed or you need to update the documentation to let others know that they need to download and install the RPM GPG KEY for EPEL 9 before using the rest of the guide......


OK I am doing a retest of the instructions with a fresh Alma 9 install. 
I have installed it with minimal functionality and done a `dnf update` to get it up to the latest packages. 
Then I have rebooted it and done the following commands:
```
[root@localhost ~]# sudo dnf config-manager --set-enabled crb
[root@localhost ~]# dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
AlmaLinux 9 - CRB                                                                                                                                             3.3 MB/s | 2.5 MB     00:00    
Last metadata expiration check: 0:00:01 ago on Mon 26 Sep 2022 09:52:47 AM EDT.
epel-release-latest-9.noarch.rpm                                                                                                                              124 kB/s |  18 kB     00:00    
Dependencies resolved.
==============================================================================================================================================================================================
 Package                                         Architecture                              Version                                      Repository                                       Size
==============================================================================================================================================================================================
Installing:
 epel-release                                    noarch                                    9-4.el9                                      @commandline                                     18 k

Transaction Summary
==============================================================================================================================================================================================
Install  1 Package

Total size: 18 k
Installed size: 25 k
Is this ok [y/N]: y
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                      1/1
  Installing       : epel-release-9-4.el9.noarch                                                                                                                                          1/1
  Running scriptlet: epel-release-9-4.el9.noarch                                                                                                                                          1/1
Many EPEL packages require the CodeReady Builder (CRB) repository.
It is recommended that you run /usr/bin/crb enable to enable the CRB repository.

  Verifying        : epel-release-9-4.el9.noarch                                                                                                                                          1/1

Installed:
  epel-release-9-4.el9.noarch                                                                                                                                                                

Complete!
[root@localhost ~]# dnf install screen
Last metadata expiration check: 0:00:21 ago on Mon 26 Sep 2022 09:53:52 AM EDT.
Dependencies resolved.
=========================================================================================================
 Package                                      Architecture                                 Version                                           Repository                                  Size
=========================================================================================================
Installing:
 screen                                       x86_64                                       4.8.0-6.el9                                       epel                                       649 k

Transaction Summary
======================================================================================================
Install  1 Package

Total download size: 649 k
Installed size: 957 k
Is this ok [y/N]: y
Downloading Packages:
screen-4.8.0-6.el9.x86_64.rpm                                                                                                                                 1.8 MB/s | 649 kB     00:00    
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                         1.2 MB/s | 649 kB     00:00    
Extra Packages for Enterprise Linux 9 - x86_64                                                                                                                1.6 MB/s | 1.6 kB     00:00    
Importing GPG key 0x3228467C:
 Userid     : "Fedora (epel9) <epel@fedoraproject.org>"
 Fingerprint: FF8A D134 4597 106E CE81 3B91 8A38 72BF 3228 467C
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-9
Is this ok [y/N]: y
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                      1/1
  Running scriptlet: screen-4.8.0-6.el9.x86_64                                                                                                                                            1/1
  Installing       : screen-4.8.0-6.el9.x86_64                                                                                                                                            1/1
  Running scriptlet: screen-4.8.0-6.el9.x86_64                                                                                                                                            1/1
  Verifying        : screen-4.8.0-6.el9.x86_64                                                                                                                                            1/1

Installed:
  screen-4.8.0-6.el9.x86_64                                                                                                                                                                  

Complete!
```
So the instructions as printed work, if everything else works fine. However, it is clear that something did not work for your system, but I am not sure how to pinpoint what it is for better documentation. If you can repeat the problem and see what difference in install from what I tried is, we can better do this.

--
Stephen Smoogen, Red Hat Automotive
Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren
_______________________________________________
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue