Collector-Sidecar for RHEL 9?

1. Describe your incident:
Trying to install the Collector-Sidecar 1.2.0-1 on RHEL9 and getting “Error: GPG check FAILED” after installing the repository RPM. I tried ignoring the GPG check (yum --nogpgcheck install graylog-sidecar) however that fails with “package graylog-sidecar-1.2.0-1.x86_64 does not verify: Header V4 RSA/SHA1 Signature, key ID b1606f22: BAD”

2. Describe your environment:
RHEL 9

4. How can the community help?
Anyone else had this issue and found a solution?

Try an older version just in case it’s a problem with the current?

Good idea, thanks! I don’t see any older versions available through the repository though, when I did:
yum --showduplicates list graylog-sidecar

it only shows 1.2.0-1

It should be possible to pull older versions here: Graylog Package Repository

1 Like

Thanks! I was trying to browse the URL from the docs, but it was throwing a 404:
https://packages.graylog2.org/repo/packages/

I installed the older version of the repository: graylog-sidecar-repository-1-1.noarch

Then I tried installing graylog-sidecar 1.0.2-1, however it threw the same error.

Thinking maybe something changed between RHEL 8 and 9 with how it handles GPG keys?

I didn’t find any useful logs.

Grrr… docs are wrong - try: Graylog Package Repository (without “repo” in the path) (@dscryber can fix that with the doc dudes)

Or the version at GitHub here: Releases · Graylog2/collector-sidecar · GitHub

Thanks! I grabbed the file itself (graylog-sidecar-1.2.0-1.x86_64.rpm) instead of using the repository, and it installs fine. There must be something different with RHEL9 and GPG key verifications with repositories. (I’m testing out RHEL 9, so this is good to know!)

– I found this link, which seems to indicate that RHEL 9 wants stronger GPG keys, which might be why it’s happening:

— according to poster pmatilai:
This is due to RHEL 9 openssl outlawing SHA1 use in signatures. Nothing rpm can do about it.

I found a (temporary) fix before companies update their key to not use SHA-1 signatures:

  • update-crypto-policies --set LEGACY
  • (reboot)

( this can be reverted down the road by running the same command with DEFAULT as the name of the policy.)

PS - I previously needed to do this also on my Graylog server(s) running RHEL 8 to get Active Directory authentication working, since the certificates the Domain Controllers are using don’t meet the “default” crypto requirements

2 Likes

Setting the default crypto policy to Legacy is a working but unfavorable solution in my opinion. This lowers the acceptable cryptographic requirements for the entire system.

Is Graylog working on updating it’s repo to support the latest RHEL requirements - SHA256 for example?

@dscryber - Can we get a Sidecar Dev to chime in here?

Allowing just SHA1 might fix it to, like the RH link mentions:

update-crypto-policies --set DEFAULT:SHA1

… I did it system wide, since in my case the servers are in an isolated network and I wasn’t too worried:

I’m on it, @tmacgbay . Thanks for asking.

1 Like

To @SalC

From our DEV team: We are currently not working on updating the repository format to support the latest RHEL requirements. It would be great if @SalC could open a GitHub issue with the details. GitHub - Graylog2/fpm-recipes: Graylog package build recipes
Thank you!

1 Like