Bug #15087

gpgcheck is set to 1 even if repo has no gpgkey configured

Added by Dylan Baars about 4 years ago. Updated 10 months ago.

Target version:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:


Hi all,

I've recently add the katello agent 3.0 repo to my katello 3.0rc4 instance, synced it and attempting to update packages on some test hosts. The repo is configured with a GPG key per the one downloaded via:

However, if I try and update a system (having added the new repo to a content view and published a new version etc) I get

Downloading packages:
warning: /var/cache/yum/x86_64/7/NIWA_Katello_Agent_Katello_Agent_3_0_x86_64/packages/python-pulp-agent-lib-2.8.0-1.el7.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID 2c7e5d9a: NOKEY
Retrieving key from https://wellkatellodev.niwa.local/katello/api/repositories/247/gpg_key_content

The GPG keys listed for the "Katello Agent 3.0 x86_64" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.

Failing package is: python-pulp-agent-lib-2.8.0-1.el7.noarch
GPG Keys are configured as: https://wellkatellodev.niwa.local/katello/api/repositories/247/gpg_key_content

if I remove the GPG key in the Katello GUI from the product and the repo, a 'yum update' fails with this message

Public key for python-pulp-agent-lib-2.8.0-1.el7.noarch.rpm is not installed

Even though the repo in Katello is configured with no GPG key, gpgcheck is still set to 1 on the client (/etc/yum.repos.d/redhat.repo) -

metadata_expire = 1
sslclientcert = /etc/pki/entitlement/6166028268832642654.pem
baseurl = https://wellkatellodev.niwa.local/pulp/repos/NIWA/Prod-Server/CentOS7_Server/custom/Katello_Agent/Katello_Agent_3_0_x86_64
sslverify = 1
name = Katello Agent 3.0 x86_64
sslclientkey = /etc/pki/entitlement/6166028268832642654-key.pem
enabled = 1
sslcacert = /etc/rhsm/ca/katello-server-ca.pem
gpgcheck = 1

I guess there are two things here:
1. Why is Katello still setting gpgcheck = 1 if there is no gpgkey configured? I was able to find a bug report for RH Satellite 6 ( from 2012, but it is closed as fixed.......
2. The katello client packages don't seem to be signed? Certainly, the katello-client-repos-latest.rpm packages "katello-client.repo" has gpcheck=0 - I wonder why?

Related issues

Is duplicate of Katello - Bug #26443: changing gpg key on a repository has no effectClosed


#1 Updated by Eric Helms about 4 years ago

  • Legacy Backlogs Release (now unused) changed from 86 to 144

#2 Updated by Eric Helms almost 4 years ago

  • Legacy Backlogs Release (now unused) changed from 144 to 168

#3 Updated by Eric Helms almost 4 years ago

  • Legacy Backlogs Release (now unused) changed from 168 to 171

#4 Updated by Eric Helms almost 4 years ago

  • Legacy Backlogs Release (now unused) deleted (171)

#5 Updated by Justin Sherrill almost 4 years ago

if i remember correctly this is due partially to an issue with subscription-manager.

It sees the local value of gpgcheck=1 and thinks its a local modification and so it does not override it, deleting the redhat.repo file and re-running yum update or install seems to correct it.

#6 Updated by Justin Sherrill almost 4 years ago

  • Category set to Subscriptions
  • Assignee set to Justin Sherrill

#7 Updated by Eric Helms over 3 years ago

  • Status changed from New to Assigned

#8 Updated by Eric Helms over 3 years ago

  • Status changed from Assigned to New
  • Legacy Backlogs Release (now unused) set to 114

#9 Updated by Joel Golden over 2 years ago

I am still experiencing this. I have republished a new content version without the repo, refreshed the redhat.repo to confirm it removed the repo, deleted the repo, then added it again to the product, published a new version, and gpgcheck = 1 instead of 0.


#10 Updated by Anthony Chevalet over 2 years ago

I have noticed the same, even if I delete the redhat.repo it is recreated with gpgcheck=1 (no key is attached to the product or the repo) 10:47:19 ~ # rpm -q foreman katello
katello-3.4.5-1.el7.noarch 10:48:31 ~ # hammer repository info --product Foreman --name Foreman-1_15-plugins
ID:                 105
Name:               Foreman-1_15-plugins
Label:              Foreman-1_15-plugins
Red Hat Repository: no
Content Type:       yum
Checksum Type:      sha256
Mirror on Sync:     yes
Publish Via HTTP:   yes
Published At:
Relative Path:      KS/Library/custom/Foreman/Foreman-1_15-plugins
Download Policy:    immediate
    ID:   69
    Name: Foreman
GPG Key:            

Created:            2017/07/27 14:57:05
Updated:            2017/09/16 13:36:42
Content Counts:     
    Packages:       355
    Package Groups: 0
    Errata:         0 10:48:38 ~ # rm /etc/yum.repos.d/redhat.repo 
rm: remove regular file '/etc/yum.repos.d/redhat.repo'? y 10:48:46 ~ # subscription-manager refresh
11 local certificates have been deleted.
All local data refreshed 10:48:54 ~ # grep -A10 Foreman_Foreman-1_15-plugins /etc/yum.repos.d/redhat.repo 
metadata_expire = 1
sslclientcert = /etc/pki/entitlement/411958510145065593696.pem
baseurl =
sslverify = 1
name = Foreman-1_15-plugins
sslclientkey = /etc/pki/entitlement/411958510106155593696-key.pem
gpgkey =
enabled = 1
sslcacert = /etc/rhsm/ca/katello-server-ca.pem
gpgcheck = 1

#11 Updated by Bryan Kearney over 1 year ago

  • Bugzilla link set to 1537555

#12 Updated by jost rakovec about 1 year ago

There is still the same issue in katello 3.11 version (foreman 1.21.1). It configure gpgcheck = 1 even if I disable gpg check and why don't you sign rpm packages for client from :$basearch ?

for example:

  1. yum install katello-host-tools
    Package katello-host-tools-3.4.2-1.el7.noarch.rpm is not signed
  1. cat /etc/yum.repos.d/redhat.repo

metadata_expire = 1
sslclientcert = /etc/pki/entitlement/7543051306001336526.pem
baseurl = https://foreman.test.local/pulp/repos/snt/test/rhel7-servers/custom/foreman_client_rhel_7/foreman_client_rhel_7
sslverify = 1
name = foreman_client_rhel 7
sslclientkey = /etc/pki/entitlement/7543051306001336526-key.pem
gpgkey = https://foreman.test.local/katello/api/v2/repositories/13/gpg_key_content
enabled = 1
sslcacert = /etc/rhsm/ca/katello-server-ca.pem
gpgcheck = 1 -----> I disable gpg check!!

#13 Updated by Justin Sherrill 10 months ago

  • Is duplicate of Bug #26443: changing gpg key on a repository has no effect added

#14 Updated by Justin Sherrill 10 months ago

  • Status changed from New to Resolved

Also available in: Atom PDF