[SERVER-26620] mongodb-org-*-3.2.10 rpms are unsigned Created: 13/Oct/16  Updated: 05/Apr/17  Resolved: 17/Oct/16

Status: Closed
Project: Core Server
Component/s: Packaging
Affects Version/s: 3.2.10
Fix Version/s: None

Type: Bug Priority: Minor - P4
Reporter: Dan Locks Assignee: Sam Kleinman (Inactive)
Resolution: Done Votes: 2
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

from a centos 7 machine:
1. yum install mongodb-org-server-3.2.10
2. see the message "Package mongodb-org-tools-3.2.10-1.el7.x86_64.rpm is not signed"

Sprint: Evergreen 2016-10-31
Participants:

 Description   

The rpms for mongodb-org-server-3.2.10 and mongodb-org-tools-3.2.10 available from https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.2/x86_64/ for for centos7 (el7, I think is the $releasever) are not signed. Perhaps the other packages as well, I did not check.

The easy workaround is to add --nocheckgpg to the yum command, but that's insecure. Paranoia! Run!



 Comments   
Comment by Elias Elmqvist Wulcan [ 18/Oct/16 ]

Thank you!

Comment by Sam Kleinman (Inactive) [ 17/Oct/16 ]

Sorry for the confusion.

I just repro'd this issue on RHEL7, it looks like unsigned package was only in the 7 repo and not in the 7Server repository that I had been testing previously, and had been consistent with previous reports.

Although I haven't tested this extensively on CentOS, I think the difference stems from the expansion of $relaserver, being different on some CentOS and our RHEL test images, but I haven't explored this extensively. Regardless, I was able to rebuild the /7/ repository and have verified that the packages are now signed.

Regards,
sam

Comment by Ramon Fernandez Marina [ 17/Oct/16 ]

e, we've been able to reproduce this issue on a different repo, so I've reopened the ticket. Apologies for the inconvenience.

Comment by Elias Elmqvist Wulcan [ 17/Oct/16 ]

The issue persist at 2016-10-17T09 CEST

Comment by Sam Kleinman (Inactive) [ 14/Oct/16 ]

Hi Dan,

I've attempted to to reproduce this issue without any success. For a little background there was a bug (MAKE-106) that caused us to miss some errors around package signing. I've pushed a fix to this (SERVER-25961) to all branches and have rebuilt the Red Hat 7.0 community build repository for 3.2, which appears to be the only repository where this bug manifested. The error you reported reflects a state of the repository from some time during this error or the resulting rebuild, which has/had been (as near as I can tell) cached by the CDN that supports the package repositories. Given this, I expect that the issue has already resolved, or will shortly resolve.

I'm going to go ahead and close this issue, but if this issue persists, please let us know.

Cheers,
sam

Comment by Ramon Fernandez Marina [ 14/Oct/16 ]

Thanks for your report dwlocks, we're looking into this issue – we'll post updates to this ticket when we have them.

Cheers,
Ramón.

Generated at Thu Feb 08 04:12:41 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.