Bug 741293

Summary: gpgkey field of repo files incorrect (on rhsm client machines)
Product: Red Hat Enterprise Linux 5 Reporter: Jeff Weiss <jweiss>
Component: subscription-managerAssignee: Bryan Kearney <bkearney>
Status: CLOSED CURRENTRELEASE QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 5.7CC: bkearney, dajohnso, jsefler
Target Milestone: rcKeywords: Reopened
Target Release: 5.8   
Hardware: x86_64   
OS: Unspecified   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-10 21:42:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 715031, 771748    

Description Jeff Weiss 2011-09-26 14:11:29 UTC
Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create a product/repo and sync it
2. Create an env in ACME_Corporation
3. Register with RHSM 
3.5 (workaround) echo $YOURENVNAME > /etc/yum/vars/env
4. subscribe to the product

Actual results:
in /etc/yum.repos.d/redhat.repo, gpgkey = whatever you set "baseurl" to in /etc/rhsm/rhsm.conf

Expected results:
gpgkey = [something appended to the baseurl to point to an actual key]

Additional info:

Comment 1 Dmitri Dolguikh 2011-09-29 10:58:54 UTC
this is an issue with subscription-manager. could you file it rhsm guys pls.?

Comment 2 Jeff Weiss 2011-09-29 12:20:47 UTC
Please do not mark bugs ON_QA or MODIFIED unless there is a commit that fixes the bug.

Comment 5 Jeff Weiss 2011-09-29 15:50:28 UTC
No, the issue is broader than that - yum fails because of missing gpg keys.  I have no idea where the key is supposed to be, but it's certainly not in the location pointed to by the repo file produced by RHSM.  I am not sure whether work needs to be done on katello or RHSM or both to get this link to work.

Comment 10 Jeff Weiss 2011-10-17 14:59:56 UTC
I'm not sure what the fix was, it appears that the gpgkey entry was simply removed from the repo file.  I don't think that is not the correct solution - these packages are signed, the key needs to be there.  I added the EPEL repo to katello and tried to install a package from it, I get

Public key for p7zip-9.20.1-2.el6.x86_64.rpm is not installed

I am not sure how we intend to handle these keys (will it be automatic or will we expect end users to import the keys via their own trusted mechanism?).  We should figure this out before we close this bug.  I would have expected the katello/pulp/cp stack to know where the key is and push that info to RHSM.

Comment 15 Bryan Kearney 2011-12-14 21:28:20 UTC
Looking back at the fix:

If the gpg key is provided by katello, then it will show up in the yum repo file. if what is provied is a relative path, then it will be prepended with the baseurl from rhsm.conf.

I would suggest retesting with custom products with no gpg keys, and with redhat content.

-- bk

Comment 17 RHEL Product and Program Management 2012-09-17 14:58:51 UTC
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.

Comment 19 John Sefler 2012-10-23 20:47:20 UTC
Verifying version...
Katello Version: 1.2.1-1.git.2.10b2e82.el6_3
[root@jsefler-rhel59 ~]# rpm -q subscription-manager python-rhsm

Working with jweiss, two subscriptions were setup on the katello server:
 1 containing content without a gpgkey
 2 containing content requiring a gpgkey

After subscribing...

[root@jsefler-rhel59 ~]# grep baseurl /etc/rhsm/rhsm.conf

[root@jsefler-rhel59 ~]# cat /etc/yum.repos.d/redhat.repo 
# Certificate-Based Repositories
# Managed by (rhsm) subscription-manager
# If this file is empty and this system is subscribed consider 
# a "yum repolist" to refresh available repos

name = safari-x86_64-1023-141300-229
baseurl = https://10-16-120-165.dhcp.rhq.lab.eng.bos.redhat.com/pulp/repos/ACME_Corporation/Development//custom/safari-1_0-1023-141300-229/safari-x86_64-1023-141300-229
enabled = 1
gpgcheck = 0
sslverify = 1
sslcacert = /etc/rhsm/ca/candlepin-local.pem
sslclientkey = /etc/pki/entitlement/8348727650157286836-key.pem
sslclientcert = /etc/pki/entitlement/8348727650157286836.pem

name = epel-x86_64
baseurl = https://10-16-120-165.dhcp.rhq.lab.eng.bos.redhat.com/pulp/repos/ACME_Corporation/Development//custom/Extra_Packages/epel-x86_64
enabled = 1
gpgcheck = 1
gpgkey = https://10-16-120-165.dhcp.rhq.lab.eng.bos.redhat.com/katello/api/repositories/37/gpg_key_content
sslverify = 1
sslcacert = /etc/rhsm/ca/candlepin-local.pem
sslclientkey = /etc/pki/entitlement/8975838015483720818-key.pem
sslclientcert = /etc/pki/entitlement/8975838015483720818.pem
[root@jsefler-rhel59 ~]# 

For case 1: notice above that repo ACME_Corporation_safari-1_0-1023-141300-229_safari-x86_64-1023-141300-229 has no gpgkey entry and gpgcheck=0

For case 2: notice above that repo ACME_Corporation_Extra_Packages_epel-x86_64 has a gpgkey (not prepended with baseurl) and gpgcheck=1  as stated in comment 15.  Moreover using wget on the gpgkey listed in the repo actually retrieves the gpgkey.

Moving to VERIFIED

Comment 21 Bryan Kearney 2012-12-10 21:42:48 UTC
Bug clean up, these are in the current release.