I m trying to install osquery via ansible When I use the com osquery #general

I'm trying to install osquery via ansible. When I...

Kathy Lyons

12/18/2023, 12:33 PM

I'm trying to install osquery via ansible. When I use the command that is recommended in the wazuh manual, the apt-key command comes back as deprecated. I use this command instead:

curl -L <https://pkg.osquery.io/deb/GPG> | gpg --no-default-keyring --gnupg-ring:/usr/share/keyrings/osuery.gpg --import & chmod 644 /usr/share/keyrings/osquery.gpg

I receive the error:

gpg: no valid OpenPGP data found  gpg:Total number processed: 0

and the osquery.gpg file does not exist. What is wrong with my curl command or how else can i install the osquery gpg key?

Stefano Bonicatti

12/18/2023, 12:50 PM

The url to the gpg key is

<https://pkg.osquery.io/deb/pubkey.gpg>

, also in the

--gnupg-ring

argument

osuery.gpg

osquery.gpg

. I'm also not sure about that

--gnupg-ring

option, I don't have it, should be

--keyring <path>

Kathy Lyons

12/18/2023, 1:26 PM

ok So now I have

curl -L <https://pkg.osquery.io/deb/pubkey.gpg> | gpg --no-default-keyring --keyring /usr/share/keyrings/osquery.gpg && chmod 644 /usr/share/keyrings

and I get a 32 byte osquery.gpg file. However, when I add the osquery repo, /etc/apt/sources.list.d/osquery.list with the line

deb [arch=64] <https://pkg.osquery.io/deb> deb main

, and perform an

apt update

, I still get the error:

"The following signatures couldn't be verified because the public key is not available."

Stefano Bonicatti

12/18/2023, 1:29 PM

Well, if it's in a custom keyring path, you probably need to specify where it is, so you should change it with

[arch=64 signed-by=/usr/share/keyrings/osquery.gpg]

. You might want to check at the bottom of this page: https://osquery.io/downloads/official/5.10.2 "Debian Linux"

Stefano Bonicatti

12/18/2023, 1:30 PM

Although it says Debian, technically is Ubuntu

Stefano Bonicatti

12/18/2023, 1:30 PM

there are different paths depending on the APT version basically (which there is connected to the Ubuntu version). APT recently has changed how it verifies keys..

Kathy Lyons

12/18/2023, 1:39 PM

I checked that out, made the changes you suggested and i still get the error

"The following signatures couldn't be verified because the public key is not available."

The osquery.gpg file 32 bytes but does not have anything in it.

Stefano Bonicatti

12/18/2023, 1:40 PM

should be 3069 bytes. Sorry I missed the "32 bytes" part, if you do

curl -L <https://pkg.osquery.io/deb/pubkey.gpg>

only, what do you see?

Stefano Bonicatti

12/18/2023, 1:41 PM

(or more precisely, the gpg key is 3069 bytes, the keyring might be slightly smaller)

Stefano Bonicatti

12/18/2023, 1:43 PM

ok I've also missed the second thing, I see you removed the

--import

option, you should've kept that, in the full command

Stefano Bonicatti

12/18/2023, 1:44 PM

So, just double check that you're actually getting the key just with the curl command above, if so, add

--import

to your full command, after

--keyring <path>

Kathy Lyons

12/18/2023, 1:48 PM

Yes, correct, sorry. OK. That works -

curl -L <https://pkg.osquery.io/deb/pubkey.gpg> --no-default-keyring --keyring /usr/share/keyrings/osquery.gpg  --import

Thank you.

🎉 1

2 Views

Open in Slack

Previous Next