Project

General

Profile

Actions

Bug #15087

closed

gpgcheck is set to 1 even if repo has no gpgkey configured

Added by Dylan Baars over 8 years ago. Updated over 5 years ago.

Status:
Resolved
Priority:
Normal
Category:
Subscriptions
Target version:
Difficulty:
Triaged:
Yes
Fixed in Releases:
Found in Releases:

Description

Hi all,

I've recently add the katello agent 3.0 repo to my katello 3.0rc4 instance, synced it and attempting to update packages on some test hosts. The repo is configured with a GPG key per the one downloaded via:
https://fedorapeople.org/groups/katello/releases/yum/3.0/client/el7/x86_64/katello-client-repos-latest.rpm

However, if I try and update a system (having added the new repo to a content view and published a new version etc) I get

Downloading packages:
warning: /var/cache/yum/x86_64/7/NIWA_Katello_Agent_Katello_Agent_3_0_x86_64/packages/python-pulp-agent-lib-2.8.0-1.el7.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID 2c7e5d9a: NOKEY
Retrieving key from https://wellkatellodev.niwa.local/katello/api/repositories/247/gpg_key_content

The GPG keys listed for the "Katello Agent 3.0 x86_64" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.

Failing package is: python-pulp-agent-lib-2.8.0-1.el7.noarch
GPG Keys are configured as: https://wellkatellodev.niwa.local/katello/api/repositories/247/gpg_key_content

if I remove the GPG key in the Katello GUI from the product and the repo, a 'yum update' fails with this message

Public key for python-pulp-agent-lib-2.8.0-1.el7.noarch.rpm is not installed

Even though the repo in Katello is configured with no GPG key, gpgcheck is still set to 1 on the client (/etc/yum.repos.d/redhat.repo) -

[NIWA_Katello_Agent_Katello_Agent_3_0_x86_64]
metadata_expire = 1
sslclientcert = /etc/pki/entitlement/6166028268832642654.pem
baseurl = https://wellkatellodev.niwa.local/pulp/repos/NIWA/Prod-Server/CentOS7_Server/custom/Katello_Agent/Katello_Agent_3_0_x86_64
sslverify = 1
name = Katello Agent 3.0 x86_64
sslclientkey = /etc/pki/entitlement/6166028268832642654-key.pem
enabled = 1
sslcacert = /etc/rhsm/ca/katello-server-ca.pem
gpgcheck = 1

I guess there are two things here:
1. Why is Katello still setting gpgcheck = 1 if there is no gpgkey configured? I was able to find a bug report for RH Satellite 6 (https://bugzilla.redhat.com/show_bug.cgi?id=803428) from 2012, but it is closed as fixed.......
2. The katello client packages don't seem to be signed? Certainly, the katello-client-repos-latest.rpm packages "katello-client.repo" has gpcheck=0 - I wonder why?


Related issues 1 (0 open1 closed)

Is duplicate of Katello - Bug #26443: changing gpg key on a repository has no effectClosedJustin SherrillActions
Actions #1

Updated by Eric Helms over 8 years ago

  • Translation missing: en.field_release changed from 86 to 144
Actions #2

Updated by Eric Helms over 8 years ago

  • Translation missing: en.field_release changed from 144 to 168
Actions #3

Updated by Eric Helms over 8 years ago

  • Translation missing: en.field_release changed from 168 to 171
Actions #4

Updated by Eric Helms over 8 years ago

  • Translation missing: en.field_release deleted (171)
Actions #5

Updated by Justin Sherrill over 8 years ago

if i remember correctly this is due partially to an issue with subscription-manager.

It sees the local value of gpgcheck=1 and thinks its a local modification and so it does not override it, deleting the redhat.repo file and re-running yum update or install seems to correct it.

Actions #6

Updated by Justin Sherrill over 8 years ago

  • Category set to Subscriptions
  • Assignee set to Justin Sherrill
Actions #7

Updated by Eric Helms over 8 years ago

  • Status changed from New to Assigned
Actions #8

Updated by Eric Helms almost 8 years ago

  • Status changed from Assigned to New
  • Translation missing: en.field_release set to 114
Actions #9

Updated by Joel Golden over 7 years ago

I am still experiencing this. I have republished a new content version without the repo, refreshed the redhat.repo to confirm it removed the repo, deleted the repo, then added it again to the product, published a new version, and gpgcheck = 1 instead of 0.

katello-agent-3.0.0.3.el7
katello-3.4.4.-2.el7
katello-repos-3.4.0-3.el7
foreman-1.15.3-1.el7

Actions #10

Updated by Anthony Chevalet over 7 years ago

I have noticed the same, even if I delete the redhat.repo it is recreated with gpgcheck=1 (no key is attached to the product or the repo)

p-infra-katello.ks.net 10:47:19 ~ # rpm -q foreman katello
foreman-1.15.4-1.el7.noarch
katello-3.4.5-1.el7.noarch
p-infra-katello.ks.net 10:48:31 ~ # hammer repository info --product Foreman --name Foreman-1_15-plugins
ID:                 105
Name:               Foreman-1_15-plugins
Label:              Foreman-1_15-plugins
Red Hat Repository: no
Content Type:       yum
Checksum Type:      sha256
Mirror on Sync:     yes
URL:                http://yum.theforeman.org/plugins/1.15/el7/x86_64/
Publish Via HTTP:   yes
Published At:       http://p-infra-katello.ks.net/pulp/repos/KS/Library/custom/Foreman/Foreman-1_15-plugins/
Relative Path:      KS/Library/custom/Foreman/Foreman-1_15-plugins
Download Policy:    immediate
Product:            
    ID:   69
    Name: Foreman
GPG Key:            

Sync:               
    Status:
Created:            2017/07/27 14:57:05
Updated:            2017/09/16 13:36:42
Content Counts:     
    Packages:       355
    Package Groups: 0
    Errata:         0

p-infra-katello.ks.net 10:48:38 ~ # rm /etc/yum.repos.d/redhat.repo 
rm: remove regular file '/etc/yum.repos.d/redhat.repo'? y
p-infra-katello.ks.net 10:48:46 ~ # subscription-manager refresh
11 local certificates have been deleted.
All local data refreshed
p-infra-katello.ks.net 10:48:54 ~ # grep -A10 Foreman_Foreman-1_15-plugins /etc/yum.repos.d/redhat.repo 
[KS_Foreman_Foreman-1_15-plugins]
metadata_expire = 1
sslclientcert = /etc/pki/entitlement/411958510145065593696.pem
baseurl = https://p-infra-katello.ks.net/pulp/repos/KS/Library/custom/Foreman/Foreman-1_15-plugins
sslverify = 1
name = Foreman-1_15-plugins
sslclientkey = /etc/pki/entitlement/411958510106155593696-key.pem
gpgkey = https://p-infra-katello.ks.net/katello/api/repositories/105/gpg_key_content
enabled = 1
sslcacert = /etc/rhsm/ca/katello-server-ca.pem
gpgcheck = 1

Actions #11

Updated by Bryan Kearney over 6 years ago

  • Bugzilla link set to 1537555
Actions #12

Updated by jost rakovec almost 6 years ago

There is still the same issue in katello 3.11 version (foreman 1.21.1). It configure gpgcheck = 1 even if I disable gpg check and why don't you sign rpm packages for client from : https://yum.theforeman.org/client/1.21/el7/$basearch ?

for example:

  1. yum install katello-host-tools
    ....
    ...
    Package katello-host-tools-3.4.2-1.el7.noarch.rpm is not signed
  1. cat /etc/yum.repos.d/redhat.repo

[snt_foreman_client_rhel_7_foreman_client_rhel_7]
metadata_expire = 1
sslclientcert = /etc/pki/entitlement/7543051306001336526.pem
baseurl = https://foreman.test.local/pulp/repos/snt/test/rhel7-servers/custom/foreman_client_rhel_7/foreman_client_rhel_7
sslverify = 1
name = foreman_client_rhel 7
sslclientkey = /etc/pki/entitlement/7543051306001336526-key.pem
gpgkey = https://foreman.test.local/katello/api/v2/repositories/13/gpg_key_content
enabled = 1
sslcacert = /etc/rhsm/ca/katello-server-ca.pem
gpgcheck = 1 -----> I disable gpg check!!

Actions #13

Updated by Justin Sherrill over 5 years ago

  • Is duplicate of Bug #26443: changing gpg key on a repository has no effect added
Actions #14

Updated by Justin Sherrill over 5 years ago

  • Status changed from New to Resolved
Actions

Also available in: Atom PDF