Feature #11966
open
Multiple GPG Keys
Description
Multiple GPG Keys do not seemed to be supported at the Product or the Repository level. This is supported by yum: http://linux.die.net/man/5/yum.conf
From the yum.conf man page:
baseurl Must be a URL to the directory where the yum repository's 'repodata' directory lives. Can be an http://, ftp:// or file:// URL. You can specify multiple URLs in one baseurl statement. The best way to do this is like this:
[repositoryid]
name=Some name for this repository
baseurl=url://server1/path/to/repository/
url://server2/path/to/repository/
url://server3/path/to/repository/...
gpgkey A URL pointing to the ASCII-armored GPG key file for the repository. This option is used if yum needs a public key to verify a package and the required key hasn't been imported into the RPM database. If this option is set, yum will automatically import the key from the specified URL. You will be prompted before the key is installed unless the assumeyes option is set.
Multiple URLs may be specified here in the same manner as the baseurl option (above). If a GPG key is required to install a package from a repository, all keys specified for that repository will be installed.
Updated by Chad Pritchett about 9 years ago
https://pulp.plan.io/issues/818 seems to indicate this is a feature regression in pulp.
Updated by Eric Helms about 9 years ago
- Triaged changed from No to Yes
As far as I know, Candlepin only supports a single GPG Key URL per content (and Candlepin content is what we map a repository to for controlling access via subscriptions). Thus, we'd need to open a bug, if one does not already exist, to Candlepin. See http://www.candlepinproject.org/docs/candlepin/api.html#slash-content
Updated by Eric Helms almost 9 years ago
- Translation missing: en.field_release set to 114
Updated by Klaas D almost 8 years ago
This is more relevant now, the puppet pc1 repository currently uses two gpg keys
[puppetlabs-pc1]
name=Puppet Labs PC1 Repository el 7 - $basearch
baseurl=http://yum.puppetlabs.com/el/7/PC1/$basearch
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs-PC1
file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-PC1
enabled=1
gpgcheck=1
pub 4096R/1054B7A24BD6EC30 2010-07-10 [expires: 2017-01-05]
Key fingerprint = 47B3 20EB 4C7C 375A A9DA E1A0 1054 B7A2 4BD6 EC30
uid Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>
pub 4096R/7F438280EF8D349F 2016-08-18 [expires: 2021-08-17]
Key fingerprint = 6F6B 1550 9CF8 E59E 6E46 9F32 7F43 8280 EF8D 349F
uid Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>
Updated by Gauthier Delacroix over 6 years ago
Any news about this one ?
Gitlab repos are also using multiple keys, but Puppet PC1 is the most blocking one.
Updated by Gauthier Delacroix over 6 years ago
The funny point is that RedHat workaround on Satellite 6 is...to use Puppet...
https://access.redhat.com/solutions/2108081
Klaas D wrote:
This is more relevant now, the puppet pc1 repository currently uses two gpg keys
Updated by Justin Sherrill about 5 years ago
To anyone watching this bug, i would recommend the following:
1. Create a Gpg Key within the UI (under content credentials in newer releases)
2. Paste in multiple keys with just a new line in between, for example (shortened for brevity):
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFy/HE4BEADttv2TCPzVrre+aJ9f5QsR6oWZMm7N5Lwxjm5x5zA9BLiPPGFN
4aTUR/g+K1S0aqCU+ZS3Rnxb+6fnBxD+COH9kMqXHi3M5UNzbp5WhCdUpISXjjpU
XIFFWBPuBfyr/FKRknFH15P+9kLZLxCpVZZLsweLWCuw+JKCMmnA
=F6VG
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFw467UBEACmREzDeK/kuScCmfJfHJa0Wgh/2fbJLLt3KSvsgDhORIptf+PP
OTFDlKuLkJx99ZYG5xMnBG47C7ByoMec1j94YeXczuBbynOyyPlvduma/zf8oB9e
Wl5GnzcLGAnUSRamfqGUWcyMMinHHIKIc1X1P4I=
=WPpI
-----END PGP PUBLIC KEY BLOCK-----
3. associate to a repository with mixed content (signed by the two different keys).
4. Subscribe the system to the repository and attempt to install the content
Note i tested with yum-3.4.3-161 on Rhel 7. Its possible that other clients may not support this.
Updated by