Feature #4110
closed
expose candlepin option to ignore signature checking on manifest, to enable quick automated tests with tiny content
Description
can turn on this option by adding `?force=SIGNATURE_CONFLICT` to the candlepin import URL - allow bypassing of signature check to allow non-redhat manifests for testing.
Could either add this as an option in `katello.yml` and/or installer option. Or even a UI option on the manifest import page.
Until this is added we cannot test with @Ivan Necas fake content anymore, katello no longer accepts these manifests because they aren't signed with the Red Hat cert.
Created: weissjeffm on February 19, 2013 15:13 +00:00
Imported from https://api.github.com/repos/Katello/katello/issues/1619
Comment 1
Yeah recent Candlepin blows up our import cli smoke tests. +1
Created: lzap on March 13, 2013 14:13 +00:00
Imported from https://api.github.com/repos/Katello/katello/issues/comments/14843225
Comment 2
@Lukas Zapletal ping?
Created: omaciel on March 20, 2013 14:00 +00:00
Imported from https://api.github.com/repos/Katello/katello/issues/comments/15177093
Comment 3
reassigning to @Ivan Necas
Created: mccun934 on April 10, 2013 14:52 +00:00
Imported from https://api.github.com/repos/Katello/katello/issues/comments/16179087
Comment 4
@Mike McCune @Ivan Necas I last heard this was supposed to be in the last sprint, but doesn't look like it made it. This sprint then?
Created: weissjeffm on June 11, 2013 19:30 +00:00
Imported from https://api.github.com/repos/Katello/katello/issues/comments/19286502
Comment 5
Oh sorry the issue got totally lost in my PR folder...
Created: lzap on June 12, 2013 08:43 +00:00
Imported from https://api.github.com/repos/Katello/katello/issues/comments/19313073
Comment 6
Does that mean it's fixed on your local repo?
Created: weissjeffm on June 13, 2013 12:21 +00:00
Imported from https://api.github.com/repos/Katello/katello/issues/comments/19388037
Comment 7
Well my manifests were copies of @Ivan Necas and @Tomáš Strachota - I only made the version 1 of the repo and guys extended it with more features. Tomáš, do you still have the generator you wrote?
Created: lzap on June 25, 2013 16:41 +00:00
Imported from https://api.github.com/repos/Katello/katello/issues/comments/19989780
Comment 8
Hmm this is what we have https://www.redhat.com/archives/katello-devel/2012-January/msg00037.html
I dont know where the repo generator is after git repos split. Lemme ask on the list for you - you can use it to generate what you need, there is no need to depend on us.
Created: lzap on June 25, 2013 16:54 +00:00
Imported from https://api.github.com/repos/Katello/katello/issues/comments/19990673
Comment 9
Ok it's here but I dont see anything to create manifests here. I am sorry, I am not able to help. Not sure how to create those.
https://github.com/Katello/katello-misc/tree/master/scripts/test/repo_generation
Created: lzap on June 25, 2013 17:07 +00:00
Imported from https://api.github.com/repos/Katello/katello/issues/comments/19991552
Comment 10
@Lukas Zapletal I'm not sure what you are referring to. This issue is to turn off manifest signature checking in katello. I already have a way to generate manifests. I just (programmatically) unzip them, change the id and zip them back up.
Are you saying you need manifests with signatures that don't verify to test your change with? I can provide that if necessary.
Created: weissjeffm on June 25, 2013 17:27 +00:00
Imported from https://api.github.com/repos/Katello/katello/issues/comments/19992772
Comment 11
Oh I apologize then. Disregard all my comments.
Created: lzap on June 26, 2013 08:26 +00:00
Imported from https://api.github.com/repos/Katello/katello/issues/comments/20033209
Comment 12
I was able to add signature to the fake manifest and make candlepin to use the cert for the signature, so this will be no problem, I sign the fake manifests in cli-tests and distribute the ca cert in katello-system-tests rpm (it's not possible to turn off the singature verification)
We have thought yet another problem:
Subscription manifest import for provider 'Red Hat' failed
Reason: Runtime Error null at org.candlepin.sync.Importer.importConsumer:518
It seems like our fake manifests are too old, I will need to regenerate them with the latest candlepin.
Created: iNecas on July 02, 2013 10:11 +00:00
Imported from https://api.github.com/repos/Katello/katello/issues/comments/20337374
Comment 13
@Ivan Necas when you say 'make candlepin to use the cert for the signature', what exactly did you have to do? Did it require restarting katello? Or just candlepin? Or no restart at all, just placing the cert?
Created: weissjeffm on July 02, 2013 12:10 +00:00
Imported from https://api.github.com/repos/Katello/katello/issues/comments/20342006
Comment 14
@weissjeffm it required putting the cert into /etc/candlepin/certs/upstream and restarting tomcat6
Created: iNecas on July 02, 2013 13:33 +00:00
Imported from https://api.github.com/repos/Katello/katello/issues/comments/20345491
Comment 15
the script for signing fake manifests used is here
https://github.com/Katello/katello-misc/pull/12 (cert and fake private key included)
here are the signed manifests + package katello-cli-tests-fakecert, that deploys the fake cert to candlepin of tested machine:
https://github.com/Katello/katello-cli/pull/46
and here is adding the package into comps
<inecas> https://github.com/Katello/katello/pull/2574
Created: iNecas on July 02, 2013 16:23 +00:00
Imported from https://api.github.com/repos/Katello/katello/issues/comments/20357144
Comment 16
Big warning - do not use old manifests, only use those generated after
MDP1 release which is safe. I ran into strange issues when I was turning
on repos - it totally (silently) ruins Candlepin.
LZ
On Tue, Jul 02, 2013 at 03:11:15AM -0700, Ivan Necas wrote:
I was able to add signature to the fake manifest and make candlepin to use the cert for the signature, so this will be no problem, I sign the fake manifests in cli-tests and distribute the ca cert in katello-system-tests rpm (it's not possible to turn off the singature verification)
We have thought yet another problem:
Subscription manifest import for provider 'Red Hat' failed
Reason: Runtime Error null at org.candlepin.sync.Importer.importConsumer:518It seems like our fake manifests are too old, I will need to regenerate them with the latest candlepin.
---
Reply to this email directly or view it on GitHub:
https://github.com/Katello/katello/issues/1619#issuecomment-20337374
--
Later,
Lukas "lzap" Zapletal
irc: lzap #theforemanCreated: lzap on July 03, 2013 08:07 +00:00
Imported from https://api.github.com/repos/Katello/katello/issues/comments/20401139
Updated by 
Updated by