Project

General

Profile

Feature #11966

Multiple GPG Keys

Added by Chad Pritchett over 4 years ago. Updated 9 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Difficulty:
Triaged:
Yes
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

Multiple GPG Keys do not seemed to be supported at the Product or the Repository level. This is supported by yum: http://linux.die.net/man/5/yum.conf

From the yum.conf man page:

baseurl Must be a URL to the directory where the yum repository's 'repodata' directory lives. Can be an http://, ftp:// or file:// URL. You can specify multiple URLs in one baseurl statement. The best way to do this is like this:
[repositoryid]
name=Some name for this repository
baseurl=url://server1/path/to/repository/
url://server2/path/to/repository/
url://server3/path/to/repository/

...

gpgkey A URL pointing to the ASCII-armored GPG key file for the repository. This option is used if yum needs a public key to verify a package and the required key hasn't been imported into the RPM database. If this option is set, yum will automatically import the key from the specified URL. You will be prompted before the key is installed unless the assumeyes option is set.

Multiple URLs may be specified here in the same manner as the baseurl option (above). If a GPG key is required to install a package from a repository, all keys specified for that repository will be installed.

History

#1 Updated by Chad Pritchett over 4 years ago

https://pulp.plan.io/issues/818 seems to indicate this is a feature regression in pulp.

#2 Updated by Eric Helms over 4 years ago

  • Triaged changed from No to Yes

As far as I know, Candlepin only supports a single GPG Key URL per content (and Candlepin content is what we map a repository to for controlling access via subscriptions). Thus, we'd need to open a bug, if one does not already exist, to Candlepin. See http://www.candlepinproject.org/docs/candlepin/api.html#slash-content

#3 Updated by Eric Helms over 4 years ago

  • Legacy Backlogs Release (now unused) set to 114

#4 Updated by Klaas D over 3 years ago

This is more relevant now, the puppet pc1 repository currently uses two gpg keys

[puppetlabs-pc1]
name=Puppet Labs PC1 Repository el 7 - $basearch
baseurl=http://yum.puppetlabs.com/el/7/PC1/$basearch
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs-PC1
       file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-PC1
enabled=1
gpgcheck=1
pub  4096R/1054B7A24BD6EC30 2010-07-10 [expires: 2017-01-05]
      Key fingerprint = 47B3 20EB 4C7C 375A A9DA  E1A0 1054 B7A2 4BD6 EC30
uid                            Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>
pub  4096R/7F438280EF8D349F 2016-08-18 [expires: 2021-08-17]
      Key fingerprint = 6F6B 1550 9CF8 E59E 6E46  9F32 7F43 8280 EF8D 349F
uid                            Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>

#5 Updated by Gauthier Delacroix about 2 years ago

Any news about this one ?

Gitlab repos are also using multiple keys, but Puppet PC1 is the most blocking one.

#6 Updated by Gauthier Delacroix about 2 years ago

The funny point is that RedHat workaround on Satellite 6 is...to use Puppet...

https://access.redhat.com/solutions/2108081

Klaas D wrote:

This is more relevant now, the puppet pc1 repository currently uses two gpg keys

#7 Updated by Justin Sherrill 9 months ago

To anyone watching this bug, i would recommend the following:

1. Create a Gpg Key within the UI (under content credentials in newer releases)
2. Paste in multiple keys with just a new line in between, for example (shortened for brevity):

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFy/HE4BEADttv2TCPzVrre+aJ9f5QsR6oWZMm7N5Lwxjm5x5zA9BLiPPGFN
4aTUR/g+K1S0aqCU+ZS3Rnxb+6fnBxD+COH9kMqXHi3M5UNzbp5WhCdUpISXjjpU
XIFFWBPuBfyr/FKRknFH15P+9kLZLxCpVZZLsweLWCuw+JKCMmnA
=F6VG
-----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFw467UBEACmREzDeK/kuScCmfJfHJa0Wgh/2fbJLLt3KSvsgDhORIptf+PP
OTFDlKuLkJx99ZYG5xMnBG47C7ByoMec1j94YeXczuBbynOyyPlvduma/zf8oB9e
Wl5GnzcLGAnUSRamfqGUWcyMMinHHIKIc1X1P4I=
=WPpI
-----END PGP PUBLIC KEY BLOCK-----

3. associate to a repository with mixed content (signed by the two different keys).
4. Subscribe the system to the repository and attempt to install the content

Note i tested with yum-3.4.3-161 on Rhel 7. Its possible that other clients may not support this.

Also available in: Atom PDF