Bug 1531780

Summary: [RFE] Add ability for pulp to gpg sign repository metadata]
Product: Red Hat Satellite Reporter: Jason Dickerson <jdickers>
Component: RepositoriesAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED DUPLICATE QA Contact: Lukáš Hellebrandt <lhellebr>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.2.12CC: bmbouter, daviddavis, dgross, dkliban, ggainey, ipanova, kenyon, lhellebr, mhrivnak, mmccune, patalber, pcreech, rchan, redhatbugs, ttereshc
Target Milestone: UnspecifiedKeywords: FutureFeature, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-06 20:48:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jason Dickerson 2018-01-05 22:01:38 UTC 
1. Proposed title of this feature request

 RFE:  Add ability for pulp to gpg sign repository metadata
 
2. What is the nature and description of the request?

 If you include a gpg key with a repository in Satellite, some package manager plugins not only check gpg signatures on the rpms, but also on the repository metadata.  Satellite does not currently 
support gpg signing of the repository metadata, and such package managers encounter errors and fail.  

3. Why does the customer need this? (List the business requirements here)

 Customer has environments that use an alternate package manager which behaves in this fashion.  Currently the only work around is to disable all gpg checking of packages and repository metadata.  
 

4. How would the customer like to achieve this? (List the functional requirements here)

 This feature is already in upstream pulp.   

5. For each functional requirement listed in question 5, specify how Red Hat

and the customer can test to confirm the requirement is successfully implemented.

 Once Satellite includes this feature, the customer will put the key back into the repository configuration, and ensure pulp is generating the appripriate repository metadata signing information.  
 

6. Is there already an existing RFE upstream or in Red Hat bugzilla?

 The gpg_sign_metadata option found on https://github.com/pulp/pulp_rpm/blob/cbb26f622cc870a70c11add9adbb92ebe0165ba8/docs/tech-reference/yum-plugins.rst

 This also seems to correlate with https://pulp.plan.io/issues/3055

7. Does the customer have any specific timeline dependencies?

 This is impacting part of their environment and while they understand this is new functionality, they would appreciate it as soon as possible.  

8. Is the sales team involved in this request and do they have any additional input?

 The TAM and SA are aware of the issue.

9. List any affected packages or components.

 pulp plugin for yum repositories

10. Would the customer be able to assist in testing this functionality if implemented?

 Absolutely!
Comment 2 pulp-infra@redhat.com 2018-01-08 14:32:05 UTC 
The Pulp upstream bug status is at ON_QA. Updating the external tracker on this bug.
Comment 3 pulp-infra@redhat.com 2018-01-08 14:32:07 UTC 
The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.
Comment 4 pulp-infra@redhat.com 2018-01-08 15:01:49 UTC 
All upstream Pulp bugs are at MODIFIED+. Moving this bug to POST.
Comment 6 pulp-infra@redhat.com 2018-01-17 21:32:07 UTC 
The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.
Comment 8 Lukáš Hellebrandt 2018-09-19 14:01:27 UTC 
I can't get this to work. It is possible that I am doing something wrong, but I am using the instructions from https://docs.pulpproject.org/plugins/pulp_rpm/tech-reference/yum-plugins.html . When I set gpg_sign_metadata to true, the metadata is still not signed.

1) Create "/etc/pulp/server/plugins.conf.d/yum_distributor.json", enter "{ "gpg_sign_metadata": true }"
2) # katello-service restart
3) publish the repo to a content view, with "Force Yum Metadata Regeneration" checked, promote it
4) # find / -name repomd.xml.asc   -> doesn't find anything
5) # yum install -y <package_in_repo>
[...]

https://<FQDN>/pulp/repos/Default_Organization/test/testcv/custom/test/test/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.
To address this issue please refer to the below knowledge base article 

https://access.redhat.com/articles/1320623

If above article doesn't help to resolve this issue please open a ticket with Red Hat Support.

Default_Organization_test_test                                           | 2.1 kB  00:00:00     

[...]

failure: repodata/repomd.xml.asc from Default_Organization_test_test: [Errno 256] No more mirrors to try.
https://<FQDN>/pulp/repos/Default_Organization/test/testcv/custom/test/test/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found
Uploading Enabled Repositories Report
Loaded plugins: product-id, subscription-manager
Comment 9 pulp-infra@redhat.com 2018-09-19 14:04:38 UTC 
Requesting needsinfo from upstream developer dkliban, ttereshc because the 'FailedQA' flag is set.
Comment 10 pulp-infra@redhat.com 2018-09-19 15:05:55 UTC 
Requesting needsinfo from upstream developer daviddavis because the 'FailedQA' flag is set.
Comment 11 Dennis Kliban 2018-09-20 15:45:10 UTC 
You need to also set the 'gpgkey' on the distributor. Full docs: https://docs.pulpproject.org/en/2.16/plugins/pulp_rpm/tech-reference/yum-plugins.html#gpg-signing-of-repository-metadata
Comment 12 Lukáš Hellebrandt 2018-09-21 14:28:15 UTC 
After Discussion with Dennis, failing this again because:

1) The feature is not documented in downstream at all.

2) The feature is not integrated well with the Satellite - it requires some manual configuration in config files.

3) I wasn't able to use the feature at all. Dennis thinks it's because wrong SELinux rules for GPG keys in /home/apache/.gnupg and is going to report it.
Comment 14 pulp-infra@redhat.com 2018-09-21 14:32:45 UTC 
Requesting needsinfo from upstream developer dkliban, ttereshc, daviddavis because the 'FailedQA' flag is set.
Comment 17 pulp-infra@redhat.com 2018-09-21 17:33:18 UTC 
All upstream Pulp bugs are at MODIFIED+. Moving this bug to POST.
Comment 18 Paul Donohue 2018-09-26 20:38:08 UTC 
This is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1410638

Comments 29 and 30 in that bug list additional unreleased changes which are required to effectively use this feature and to integrate this feature with Satellite.
Comment 19 Mike McCune 2018-10-31 15:57:07 UTC 
We are going to handle this in https://bugzilla.redhat.com/show_bug.cgi?id=1410638

The pulp backend changes will land in 6.5 but the full support for this RFE will be handled and tracked in 1410638.
Comment 20 Brad Buckingham 2018-10-31 17:07:15 UTC 
Based upon comment 19, I'll move this to ON_DEV since the pulp changes are in.  It should be noted that katello integration work will be done as part of bug 1410638 and planned for a future release.
Comment 21 Brad Buckingham 2018-11-06 20:48:59 UTC 
Closing this one as a duplicate of older bug 1410638.  That bugzilla references this one and also indicates that it is a duplicate.

*** This bug has been marked as a duplicate of bug 1410638 ***