Project

General

Profile

Bug #24417

cannot install packages without disabling gpg check

Added by Hart Mel about 2 months ago. Updated 22 days ago.

Status:
Resolved
Priority:
Normal
Category:
RPMs
Target version:
Difficulty:
Triaged:
Yes
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

On katello 3.8RC1, the command "yum install katello" fails because at least one package (tfm-rubygem-angular-rails-templates-1.0.2-2.el7.noarch.rpm) is not signed.

History

#1 Updated by Hart Mel about 2 months ago

This package comes from foreman-plugins repo. After disabling gpgcheck in yum configuration, it installed.

#2 Updated by Jonathon Turel about 2 months ago

  • Triaged changed from No to Yes
  • Assignee set to Jonathon Turel

I don't think that RC builds are supposed to be doing gpg verification. I'll see if we need to make sure that is corrected by RC2!

#3 Updated by Jonathon Turel about 2 months ago

Hart,

I think this issue might be fixed by the following pull request: https://github.com/theforeman/foreman-packaging/pull/2819. Will you try running the installer again?

#4 Updated by Hart Mel about 2 months ago

This time it fails on

Package tfm-rubygem-foreman_ansible_core-2.1.0-1.fm1_19.el7.noarch.rpm is not signed

#5 Updated by Hart Mel about 2 months ago

I think this is a list of unsigned packages, it comes from changes applied by yum update, so maybe some other are not signed too

[root@foreman01 ~]# while read line; do rpm --checksig $line; done < <(find /var/cache/ -name "*rpm")  | grep -v pgp
/var/cache/yum/x86_64/7/foreman-plugins/packages/rubygem-smart_proxy_ansible-2.0.3-1.fm1_19.el7.noarch.rpm: sha1 md5 OK
/var/cache/yum/x86_64/7/foreman-plugins/packages/tfm-rubygem-bastion-6.1.11-1.fm1_19.el7.noarch.rpm: sha1 md5 OK
/var/cache/yum/x86_64/7/foreman-plugins/packages/tfm-rubygem-foreman-tasks-0.13.3-1.fm1_19.el7.noarch.rpm: sha1 md5 OK
/var/cache/yum/x86_64/7/foreman-plugins/packages/tfm-rubygem-foreman_ansible_core-2.1.0-1.fm1_19.el7.noarch.rpm: sha1 md5 OK
/var/cache/yum/x86_64/7/foreman-plugins/packages/tfm-rubygem-foreman_discovery-12.0.2-1.fm1_19.el7.noarch.rpm: sha1 md5 OK
/var/cache/yum/x86_64/7/foreman-plugins/packages/tfm-rubygem-foreman_remote_execution-1.5.4-1.fm1_19.el7.noarch.rpm: sha1 md5 OK
/var/cache/yum/x86_64/7/foreman-plugins/packages/tfm-rubygem-foreman_remote_execution_core-1.1.3-1.el7.noarch.rpm: sha1 md5 OK
/var/cache/yum/x86_64/7/foreman-plugins/packages/tfm-rubygem-foreman_templates-6.0.3-1.fm1_19.el7.noarch.rpm: sha1 md5 OK
/var/cache/yum/x86_64/7/foreman-plugins/packages/tfm-rubygem-hammer_cli_foreman_remote_execution-0.1.0-1.fm1_19.el7.noarch.rpm: sha1 md5 OK
/var/cache/yum/x86_64/7/katello/packages/foreman-installer-katello-3.8.0-0.1.rc1.el7.noarch.rpm: sha1 md5 OK
/var/cache/yum/x86_64/7/katello/packages/katello-3.8.0-4.rc1.el7.noarch.rpm: sha1 md5 OK
/var/cache/yum/x86_64/7/katello/packages/katello-common-3.8.0-4.rc1.el7.noarch.rpm: sha1 md5 OK
/var/cache/yum/x86_64/7/katello/packages/katello-debug-3.8.0-4.rc1.el7.noarch.rpm: sha1 md5 OK
/var/cache/yum/x86_64/7/katello/packages/katello-installer-base-3.8.0-0.1.rc1.el7.noarch.rpm: sha1 md5 OK
/var/cache/yum/x86_64/7/katello/packages/katello-service-3.8.0-4.rc1.el7.noarch.rpm: sha1 md5 OK
/var/cache/yum/x86_64/7/katello/packages/tfm-rubygem-hammer_cli_katello-0.14.0-1.201807171333git54e9f0b.el7.noarch.rpm: sha1 md5 OK
/var/cache/yum/x86_64/7/katello/packages/tfm-rubygem-katello-3.8.0-0.1.rc1.el7.noarch.rpm: sha1 md5 OK

#6 Updated by Ewoud Kohl van Wijngaarden about 2 months ago

Plugins are unsigned by design and we're not going to sign those. I do think the Katello packages are supposed to be signed. At least in Foreman we already sign the RCs so we can test that process.

#7 Updated by Hart Mel about 2 months ago

Should the plugin repository configuration file have gpg check disabled by default ?

[foreman-plugins]
name=Foreman plugins 1.19
baseurl=https://yum.theforeman.org/plugins/1.19/el7/$basearch
enabled=1
gpgcheck=1

#8 Updated by Hart Mel about 2 months ago

kattelo and katello-candlepin have gpgcheck disabled, yum update didn't complain about these packages.

#9 Updated by Jonathon Turel about 2 months ago

Hart Mel wrote:

Should the plugin repository configuration file have gpg check disabled by default ?
[...]

Yes, it won't properly be fixed until RC2 out - but there is the workaround as you've discovered. Ewoud created the fix1 but it's not released yet (that'll be RC2).

[1] https://github.com/theforeman/foreman-packaging/pull/2819

#10 Updated by Jonathon Turel about 2 months ago

  • Subject changed from cannot install katello packages without disabling gpg check to cannot install packages without disabling gpg check
  • Project changed from Katello to Packaging

Going to close this as a fix has been identified. Thanks for letting us know about it!

#11 Updated by Jonathon Turel about 2 months ago

  • Found in Releases added
  • Found in Releases deleted (Katello 3.8.0)

#12 Updated by Ewoud Kohl van Wijngaarden about 2 months ago

  • Target version set to 868
  • Assignee changed from Jonathon Turel to Ewoud Kohl van Wijngaarden
  • Category set to RPMs
  • Fixed in Releases added

#13 Updated by Ewoud Kohl van Wijngaarden about 2 months ago

  • Status changed from New to Resolved

#14 Updated by Ewoud Kohl van Wijngaarden 22 days ago

  • Target version changed from 868 to 1.19.0
  • Found in Releases 1.19.0 added
  • Found in Releases deleted ()
  • Fixed in Releases 1.19.0 added
  • Fixed in Releases deleted ()

Also available in: Atom PDF