Bug #12230
closed
rubygem-rdoc-3.12-12.el6.x86_64.rpm signed with revoked key
Description
In the 1.10 EL6 repo, the rubygem-rdoc package is signed with our revoked (2014) key e775ff07:
$ rpm -qip "http://yum.theforeman.org/releases/1.10/el6/x86_64/rubygem-rdoc-3.12-12.el6.x86_64.rpm" | grep Key warning: http://yum.theforeman.org/releases/1.10/el6/x86_64/rubygem-rdoc-3.12-12.el6.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID e775ff07: NOKEY Signature : RSA/SHA1, Thu 12 Sep 2013 12:31:54 BST, Key ID 66cf053fe775ff07
1.9 seems unaffected, so something's wrong in the 1.10 signing process.
Updated by Dominic Cleal about 9 years ago
Both rhscl packages in both el6/7 are missing signatures too.
How we call foreman-bats for releases (not nightly) needs checking to ensure it follows the code path to install foreman-release instead of a custom repo file with gpgcheck=0.
Updated by Dominic Cleal about 9 years ago
- Status changed from New to Assigned
- Assignee set to Dominic Cleal
Dominic Cleal wrote:
Both rhscl packages in both el6/7 are missing signatures too.
Fixed, the paths on Koji had changed due to my renaming of mashes to add a "-dist" extension (due to tag inheritance changes). Docs updated.
Updated by Dominic Cleal about 9 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
The mash config was incorrect, it had strict_keys set to false as I'd copied the file from nightly instead of 1.9 (due to -dist changes), so wasn't verifying the repo was written with the right signed RPM. The GPG key was also incorrect. Docs also updated.
Updated by Dominic Cleal about 9 years ago
Dominic Cleal wrote:
How we call foreman-bats for releases (not nightly) needs checking to ensure it follows the code path to install foreman-release instead of a custom repo file with gpgcheck=0.
https://github.com/theforeman/foreman-bats/pull/88 should ensure we inherit the GPG settings from foreman-release when testing a custom repo.