Project

General

Profile

Bug #15087

gpgcheck is set to 1 even if repo has no gpgkey configured

Added by Dylan Baars about 3 years ago. Updated 12 days ago.

Status:
Resolved
Priority:
Normal
Category:
Subscriptions
Target version:
Difficulty:
Triaged:
Yes
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Hi all,

I've recently add the katello agent 3.0 repo to my katello 3.0rc4 instance, synced it and attempting to update packages on some test hosts. The repo is configured with a GPG key per the one downloaded via:
https://fedorapeople.org/groups/katello/releases/yum/3.0/client/el7/x86_64/katello-client-repos-latest.rpm

However, if I try and update a system (having added the new repo to a content view and published a new version etc) I get

Downloading packages:
warning: /var/cache/yum/x86_64/7/NIWA_Katello_Agent_Katello_Agent_3_0_x86_64/packages/python-pulp-agent-lib-2.8.0-1.el7.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID 2c7e5d9a: NOKEY
Retrieving key from https://wellkatellodev.niwa.local/katello/api/repositories/247/gpg_key_content

The GPG keys listed for the "Katello Agent 3.0 x86_64" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.

Failing package is: python-pulp-agent-lib-2.8.0-1.el7.noarch
GPG Keys are configured as: https://wellkatellodev.niwa.local/katello/api/repositories/247/gpg_key_content

if I remove the GPG key in the Katello GUI from the product and the repo, a 'yum update' fails with this message

Public key for python-pulp-agent-lib-2.8.0-1.el7.noarch.rpm is not installed

Even though the repo in Katello is configured with no GPG key, gpgcheck is still set to 1 on the client (/etc/yum.repos.d/redhat.repo) -

[NIWA_Katello_Agent_Katello_Agent_3_0_x86_64]
metadata_expire = 1
sslclientcert = /etc/pki/entitlement/6166028268832642654.pem
baseurl = https://wellkatellodev.niwa.local/pulp/repos/NIWA/Prod-Server/CentOS7_Server/custom/Katello_Agent/Katello_Agent_3_0_x86_64
sslverify = 1
name = Katello Agent 3.0 x86_64
sslclientkey = /etc/pki/entitlement/6166028268832642654-key.pem
enabled = 1
sslcacert = /etc/rhsm/ca/katello-server-ca.pem
gpgcheck = 1

I guess there are two things here:
1. Why is Katello still setting gpgcheck = 1 if there is no gpgkey configured? I was able to find a bug report for RH Satellite 6 (https://bugzilla.redhat.com/show_bug.cgi?id=803428) from 2012, but it is closed as fixed.......
2. The katello client packages don't seem to be signed? Certainly, the katello-client-repos-latest.rpm packages "katello-client.repo" has gpcheck=0 - I wonder why?


Related issues

Is duplicate of Katello - Bug #26443: changing gpg key on a repository has no effectClosed

History

#1 Updated by Eric Helms about 3 years ago

  • Legacy Backlogs Release (now unused) changed from 86 to 144

#2 Updated by Eric Helms about 3 years ago

  • Legacy Backlogs Release (now unused) changed from 144 to 168

#3 Updated by Eric Helms about 3 years ago

  • Legacy Backlogs Release (now unused) changed from 168 to 171

#4 Updated by Eric Helms about 3 years ago

  • Legacy Backlogs Release (now unused) deleted (171)

#5 Updated by Justin Sherrill about 3 years ago

if i remember correctly this is due partially to an issue with subscription-manager.

It sees the local value of gpgcheck=1 and thinks its a local modification and so it does not override it, deleting the redhat.repo file and re-running yum update or install seems to correct it.

#6 Updated by Justin Sherrill about 3 years ago

  • Category set to Subscriptions
  • Assignee set to Justin Sherrill

#7 Updated by Eric Helms almost 3 years ago

  • Status changed from New to Assigned

#8 Updated by Eric Helms over 2 years ago

  • Status changed from Assigned to New
  • Legacy Backlogs Release (now unused) set to 114

#9 Updated by Joel Golden almost 2 years ago

I am still experiencing this. I have republished a new content version without the repo, refreshed the redhat.repo to confirm it removed the repo, deleted the repo, then added it again to the product, published a new version, and gpgcheck = 1 instead of 0.

katello-agent-3.0.0.3.el7
katello-3.4.4.-2.el7
katello-repos-3.4.0-3.el7
foreman-1.15.3-1.el7

#10 Updated by Anthony Chevalet almost 2 years ago

I have noticed the same, even if I delete the redhat.repo it is recreated with gpgcheck=1 (no key is attached to the product or the repo)

p-infra-katello.ks.net 10:47:19 ~ # rpm -q foreman katello
foreman-1.15.4-1.el7.noarch
katello-3.4.5-1.el7.noarch
p-infra-katello.ks.net 10:48:31 ~ # hammer repository info --product Foreman --name Foreman-1_15-plugins
ID:                 105
Name:               Foreman-1_15-plugins
Label:              Foreman-1_15-plugins
Red Hat Repository: no
Content Type:       yum
Checksum Type:      sha256
Mirror on Sync:     yes
URL:                http://yum.theforeman.org/plugins/1.15/el7/x86_64/
Publish Via HTTP:   yes
Published At:       http://p-infra-katello.ks.net/pulp/repos/KS/Library/custom/Foreman/Foreman-1_15-plugins/
Relative Path:      KS/Library/custom/Foreman/Foreman-1_15-plugins
Download Policy:    immediate
Product:            
    ID:   69
    Name: Foreman
GPG Key:            

Sync:               
    Status:
Created:            2017/07/27 14:57:05
Updated:            2017/09/16 13:36:42
Content Counts:     
    Packages:       355
    Package Groups: 0
    Errata:         0

p-infra-katello.ks.net 10:48:38 ~ # rm /etc/yum.repos.d/redhat.repo 
rm: remove regular file '/etc/yum.repos.d/redhat.repo'? y
p-infra-katello.ks.net 10:48:46 ~ # subscription-manager refresh
11 local certificates have been deleted.
All local data refreshed
p-infra-katello.ks.net 10:48:54 ~ # grep -A10 Foreman_Foreman-1_15-plugins /etc/yum.repos.d/redhat.repo 
[KS_Foreman_Foreman-1_15-plugins]
metadata_expire = 1
sslclientcert = /etc/pki/entitlement/411958510145065593696.pem
baseurl = https://p-infra-katello.ks.net/pulp/repos/KS/Library/custom/Foreman/Foreman-1_15-plugins
sslverify = 1
name = Foreman-1_15-plugins
sslclientkey = /etc/pki/entitlement/411958510106155593696-key.pem
gpgkey = https://p-infra-katello.ks.net/katello/api/repositories/105/gpg_key_content
enabled = 1
sslcacert = /etc/rhsm/ca/katello-server-ca.pem
gpgcheck = 1

#11 Updated by Bryan Kearney 11 months ago

  • Bugzilla link set to 1537555

#12 Updated by jost rakovec 4 months ago

There is still the same issue in katello 3.11 version (foreman 1.21.1). It configure gpgcheck = 1 even if I disable gpg check and why don't you sign rpm packages for client from : https://yum.theforeman.org/client/1.21/el7/$basearch ?

for example:

  1. yum install katello-host-tools
    ....
    ...
    Package katello-host-tools-3.4.2-1.el7.noarch.rpm is not signed
  1. cat /etc/yum.repos.d/redhat.repo

[snt_foreman_client_rhel_7_foreman_client_rhel_7]
metadata_expire = 1
sslclientcert = /etc/pki/entitlement/7543051306001336526.pem
baseurl = https://foreman.test.local/pulp/repos/snt/test/rhel7-servers/custom/foreman_client_rhel_7/foreman_client_rhel_7
sslverify = 1
name = foreman_client_rhel 7
sslclientkey = /etc/pki/entitlement/7543051306001336526-key.pem
gpgkey = https://foreman.test.local/katello/api/v2/repositories/13/gpg_key_content
enabled = 1
sslcacert = /etc/rhsm/ca/katello-server-ca.pem
gpgcheck = 1 -----> I disable gpg check!!

#13 Updated by Justin Sherrill 12 days ago

  • Is duplicate of Bug #26443: changing gpg key on a repository has no effect added

#14 Updated by Justin Sherrill 12 days ago

  • Status changed from New to Resolved

Also available in: Atom PDF