Project

General

Profile

Feature #11966

Multiple GPG Keys

Added by Chad Pritchett almost 4 years ago. Updated about 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Difficulty:
Triaged:
Yes
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Multiple GPG Keys do not seemed to be supported at the Product or the Repository level. This is supported by yum: http://linux.die.net/man/5/yum.conf

From the yum.conf man page:

baseurl Must be a URL to the directory where the yum repository's 'repodata' directory lives. Can be an http://, ftp:// or file:// URL. You can specify multiple URLs in one baseurl statement. The best way to do this is like this:
[repositoryid]
name=Some name for this repository
baseurl=url://server1/path/to/repository/
url://server2/path/to/repository/
url://server3/path/to/repository/

...

gpgkey A URL pointing to the ASCII-armored GPG key file for the repository. This option is used if yum needs a public key to verify a package and the required key hasn't been imported into the RPM database. If this option is set, yum will automatically import the key from the specified URL. You will be prompted before the key is installed unless the assumeyes option is set.

Multiple URLs may be specified here in the same manner as the baseurl option (above). If a GPG key is required to install a package from a repository, all keys specified for that repository will be installed.

History

#1 Updated by Chad Pritchett almost 4 years ago

https://pulp.plan.io/issues/818 seems to indicate this is a feature regression in pulp.

#2 Updated by Eric Helms almost 4 years ago

  • Triaged changed from No to Yes

As far as I know, Candlepin only supports a single GPG Key URL per content (and Candlepin content is what we map a repository to for controlling access via subscriptions). Thus, we'd need to open a bug, if one does not already exist, to Candlepin. See http://www.candlepinproject.org/docs/candlepin/api.html#slash-content

#3 Updated by Eric Helms over 3 years ago

  • Legacy Backlogs Release (now unused) set to 114

#4 Updated by Klaas D over 2 years ago

This is more relevant now, the puppet pc1 repository currently uses two gpg keys

[puppetlabs-pc1]
name=Puppet Labs PC1 Repository el 7 - $basearch
baseurl=http://yum.puppetlabs.com/el/7/PC1/$basearch
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs-PC1
       file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-PC1
enabled=1
gpgcheck=1
pub  4096R/1054B7A24BD6EC30 2010-07-10 [expires: 2017-01-05]
      Key fingerprint = 47B3 20EB 4C7C 375A A9DA  E1A0 1054 B7A2 4BD6 EC30
uid                            Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>
pub  4096R/7F438280EF8D349F 2016-08-18 [expires: 2021-08-17]
      Key fingerprint = 6F6B 1550 9CF8 E59E 6E46  9F32 7F43 8280 EF8D 349F
uid                            Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>

#5 Updated by Gauthier Delacroix over 1 year ago

Any news about this one ?

Gitlab repos are also using multiple keys, but Puppet PC1 is the most blocking one.

#6 Updated by Gauthier Delacroix over 1 year ago

The funny point is that RedHat workaround on Satellite 6 is...to use Puppet...

https://access.redhat.com/solutions/2108081

Klaas D wrote:

This is more relevant now, the puppet pc1 repository currently uses two gpg keys

Also available in: Atom PDF