GPG Verification Failure for CloudWatch Agent on RHEL 8

[onedownsixup]

Describe the bug

The problem arises when attempting to install the CloudWatch agent on RHEL 8 using Ansible. The GPG verification for the agent fails, preventing successful installation, even after importing the GPG key.

Steps to reproduce

1. Attempt to install the CloudWatch agent on RHEL 8 using Ansible.
2. Import the GPG key using the module ansible.builtin.rpm_key.
3. Try to install the agent using the module ansible.builtin.dnf.

What did you expect to see?

The CloudWatch agent should be installed successfully, verified by the GPG key already imported to the RPM using the module ansible.builtin.rpm_key.

What did you see instead?

The installation fails with the following error message when trying to install using the ansible.builtin.dnf module:

Failed to validate GPG signature for amazon-cloudwatch-agent-1.300041.0b681-1.x86_64: Package _amazon-cloudwatch-agent.rpm is not signed

What version did you use?

Version: 1.300041.0b681

Environment

OS: Red Hat Enterprise Linux 8

Additional context

Following the AWS documentation, it appears that the installer does not match the GPG key imported. Since the GPG verification fails, the installation cannot proceed. This issue persists even after downloading the latest version of the agent and importing the GPG key as mentioned in the documentation.

From the details provided below, it looks like the amazon-ssm-agent package is signed correctly, but the amazon-cloudwatch-agent package is not signed at all:

# rpm -qpi amazon-ssm-agent.rpm

Name        : amazon-ssm-agent
Version     : 3.3.551.0
Release     : 1
Architecture: x86_64
Install Date: (not installed)
Group       : Amazon/Tools
Size        : 119275951
License     : Apache License, Version 2.0
Signature   : RSA/SHA1, Fri 14 Jun 2024 07:06:18 PM UTC, Key ID bc1f495c97dd04ed
Source RPM  : amazon-ssm-agent-3.3.551.0-1.src.rpm
Build Date  : Fri 14 Jun 2024 06:03:04 PM UTC
Build Host  : build.amazon.com
Relocations : (not relocatable)
Packager    : Amazon.com, Inc. <http://aws.amazon.com>
Vendor      : Amazon.com
URL         : http://docs.aws.amazon.com/ssm/latest/APIReference/Welcome.html
Summary     : Manage EC2 Instances using SSM APIs
Description :
This package provides Amazon SSM Agent for managing EC2 Instances using SSM APIs

# rpm -qpi amazon-cloudwatch-agent.rpm

Name        : amazon-cloudwatch-agent
Version     : 1.300041.0b681
Release     : 1
Architecture: x86_64
Install Date: (not installed)
Group       : Applications/CloudWatch-Agent
Size        : 422303104
License     : MIT License. Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
Signature   : (none)
Source RPM  : amazon-cloudwatch-agent-1.300041.0b681-1.src.rpm
Build Date  : Mon 10 Jun 2024 05:35:01 PM UTC
Build Host  : ip-172-31-23-244.us-west-2.compute.internal
Relocations : (not relocatable)
Summary     : Amazon CloudWatch Agent
Description :
This package provides daemon of Amazon CloudWatch Agent

[okankoAMZ]

Hello!
Thank you for reaching out. I am currently trying to re-create this issue.

[okankoAMZ]

Hello!
I was unable to re-create this issue. Could you show me what commands you used to download the signature? Could you also try the latest version of CloudWatch Agent to see if this issue proceed?

[github-actions]

This issue was marked stale due to lack of activity.