scap-security-guide GPG verification issues

General support questions
Post Reply
dalu
Posts: 12
Joined: 2017/03/25 23:31:08
Location: Germany/Croatia
Contact:

scap-security-guide GPG verification issues

Post by dalu » 2018/05/20 09:55:13

When trying to do a `yum update`
I'm getting

Code: Select all

# yum update
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.softaculous.com
 * epel: mirror.wiuwiu.de
 * extras: mirror.wiuwiu.de
 * updates: centosc6.centos.org
Resolving Dependencies
--> Running transaction check
---> Package scap-security-guide.noarch 0:0.1.33-6.el7.centos will be updated
---> Package scap-security-guide.noarch 0:0.1.36-9.el7.centos will be an update
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================================================================================================
 Package                                                  Arch                                        Version                                                   Repository                                    Size
===================================================================================================================================================================================================================
Updating:
 scap-security-guide                                      noarch                                      0.1.36-9.el7.centos                                       updates                                      4.4 M

Transaction Summary
===================================================================================================================================================================================================================
Upgrade  1 Package

Total size: 4.4 M
Is this ok [y/d/N]: y
Downloading packages:
warning: /var/cache/yum/x86_64/7/updates/packages/scap-security-guide-0.1.36-9.el7.centos.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID f533f4fa: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7


The GPG keys listed for the "CentOS-7 - Updates" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.


 Failing package is: scap-security-guide-0.1.36-9.el7.centos.noarch
 GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
checking `yum info` and also the size of releases on github
https://github.com/OpenSCAP/scap-securi ... e/releases
Which is between 1.9MB and 7.7MB I tend to agree that this is a fishy package.

One of those sites has a fishy package stored.
mirror.softaculous.com
mirror.wiuwiu.de
extras: mirror.wiuwiu.de
updates: centosc6.centos.org

Code: Select all

yum info scap-security-guide
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.softaculous.com
 * epel: mirror.wiuwiu.de
 * extras: mirror.wiuwiu.de
 * updates: centosc6.centos.org
Installed Packages
Name        : scap-security-guide
Arch        : noarch
Version     : 0.1.33
Release     : 6.el7.centos
Size        : 132 M
Repo        : installed
From repo   : updates
Summary     : Security guidance and baselines in SCAP formats
URL         : https://github.com/OpenSCAP/scap-security-guide
License     : Public Domain
Description : The scap-security-guide project provides a guide for configuration of the
            : system from the final system's security point of view. The guidance is
            : specified in the Security Content Automation Protocol (SCAP) format and
            : constitutes a catalog of practical hardening advice, linked to government
            : requirements where applicable. The project bridges the gap between generalized
            : policy requirements and specific implementation guidelines. The Red Hat
            : Enterprise Linux 7 system administrator can use the oscap command-line tool
            : from the openscap-utils package to verify that the system conforms to provided
            : guideline. Refer to scap-security-guide(8) manual page for further information.

Available Packages
Name        : scap-security-guide
Arch        : noarch
Version     : 0.1.36
Release     : 9.el7.centos
Size        : 4.4 M
Repo        : updates/7/x86_64
Summary     : Security guidance and baselines in SCAP formats
URL         : https://github.com/OpenSCAP/scap-security-guide
License     : Public Domain
Description : The scap-security-guide project provides a guide for configuration of the
            : system from the final system's security point of view. The guidance is
            : specified in the Security Content Automation Protocol (SCAP) format and
            : constitutes a catalog of practical hardening advice, linked to government
            : requirements where applicable. The project bridges the gap between generalized
            : policy requirements and specific implementation guidelines. The Red Hat
            : Enterprise Linux 7 system administrator can use the oscap command-line tool
            : from the openscap-utils package to verify that the system conforms to provided
            : guideline. Refer to scap-security-guide(8) manual page for further information.
Questions:
- How do I find out which site it's downloading this package from?
- How do I block this site for good?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: scap-security-guide GPG verification issues

Post by TrevorH » 2018/05/20 12:25:42

The package appears to signed with the wrong key. I've passed the info on to those that know and can check and will report back if I hear more info.

OK, someone just checked through and found that that key is still a CentOS key but it is the wrong one. It's been a busy week :-(

pub 2048R/F533F4FA 2015-11-27 CentOS AltArch SIG - PowerPC (https://wiki.centos.org/SpecialInterestGroup/AltArch) <security@centos.org>
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply