Bug 741293
Summary: | gpgkey field of repo files incorrect (on rhsm client machines) | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Jeff Weiss <jweiss> |
Component: | subscription-manager | Assignee: | Bryan Kearney <bkearney> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 5.7 | CC: | bkearney, dajohnso, jsefler |
Target Milestone: | rc | Keywords: | Reopened |
Target Release: | 5.8 | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: |
subscription-manager-0.97.1-1.git.45.588a2a6.el6.x86_64
|
|
Last Closed: | 2012-12-10 21:42:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 715031, 771748 |
Description
Jeff Weiss
2011-09-26 14:11:29 UTC
this is an issue with subscription-manager. could you file it rhsm guys pls.? Please do not mark bugs ON_QA or MODIFIED unless there is a commit that fixes the bug. No, the issue is broader than that - yum fails because of missing gpg keys. I have no idea where the key is supposed to be, but it's certainly not in the location pointed to by the repo file produced by RHSM. I am not sure whether work needs to be done on katello or RHSM or both to get this link to work. I'm not sure what the fix was, it appears that the gpgkey entry was simply removed from the repo file. I don't think that is not the correct solution - these packages are signed, the key needs to be there. I added the EPEL repo to katello and tried to install a package from it, I get Public key for p7zip-9.20.1-2.el6.x86_64.rpm is not installed I am not sure how we intend to handle these keys (will it be automatic or will we expect end users to import the keys via their own trusted mechanism?). We should figure this out before we close this bug. I would have expected the katello/pulp/cp stack to know where the key is and push that info to RHSM. Looking back at the fix: If the gpg key is provided by katello, then it will show up in the yum repo file. if what is provied is a relative path, then it will be prepended with the baseurl from rhsm.conf. I would suggest retesting with custom products with no gpg keys, and with redhat content. -- bk This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release. Verifying version... Katello Version: 1.2.1-1.git.2.10b2e82.el6_3 [root@jsefler-rhel59 ~]# rpm -q subscription-manager python-rhsm subscription-manager-1.0.23-1.el5 python-rhsm-1.0.10-1.el5 Working with jweiss, two subscriptions were setup on the katello server: 1 containing content without a gpgkey 2 containing content requiring a gpgkey After subscribing... [root@jsefler-rhel59 ~]# grep baseurl /etc/rhsm/rhsm.conf baseurl=https://10-16-120-165.dhcp.rhq.lab.eng.bos.redhat.com/pulp/repos [root@jsefler-rhel59 ~]# cat /etc/yum.repos.d/redhat.repo # # Certificate-Based Repositories # Managed by (rhsm) subscription-manager # # If this file is empty and this system is subscribed consider # a "yum repolist" to refresh available repos # [ACME_Corporation_safari-1_0-1023-141300-229_safari-x86_64-1023-141300-229] name = safari-x86_64-1023-141300-229 baseurl = https://10-16-120-165.dhcp.rhq.lab.eng.bos.redhat.com/pulp/repos/ACME_Corporation/Development//custom/safari-1_0-1023-141300-229/safari-x86_64-1023-141300-229 enabled = 1 gpgcheck = 0 sslverify = 1 sslcacert = /etc/rhsm/ca/candlepin-local.pem sslclientkey = /etc/pki/entitlement/8348727650157286836-key.pem sslclientcert = /etc/pki/entitlement/8348727650157286836.pem [ACME_Corporation_Extra_Packages_epel-x86_64] name = epel-x86_64 baseurl = https://10-16-120-165.dhcp.rhq.lab.eng.bos.redhat.com/pulp/repos/ACME_Corporation/Development//custom/Extra_Packages/epel-x86_64 enabled = 1 gpgcheck = 1 gpgkey = https://10-16-120-165.dhcp.rhq.lab.eng.bos.redhat.com/katello/api/repositories/37/gpg_key_content sslverify = 1 sslcacert = /etc/rhsm/ca/candlepin-local.pem sslclientkey = /etc/pki/entitlement/8975838015483720818-key.pem sslclientcert = /etc/pki/entitlement/8975838015483720818.pem [root@jsefler-rhel59 ~]# For case 1: notice above that repo ACME_Corporation_safari-1_0-1023-141300-229_safari-x86_64-1023-141300-229 has no gpgkey entry and gpgcheck=0 VERIFIED For case 2: notice above that repo ACME_Corporation_Extra_Packages_epel-x86_64 has a gpgkey (not prepended with baseurl) and gpgcheck=1 as stated in comment 15. Moreover using wget on the gpgkey listed in the repo actually retrieves the gpgkey. Moving to VERIFIED Bug clean up, these are in the current release. |