Bug 803428

Summary: gpgcheck is always enabled for repos, even if repo does not have gpg keys associated with it.
Product: Red Hat Satellite Reporter: Corey Welton <cwelton>
Component: katello-agentAssignee: Brad Buckingham <bbuckingham>
Status: CLOSED ERRATA QA Contact: Kedar Bidarkar <kbidarka>
Severity: high Docs Contact:
Priority: high    
Version: 6.0.1CC: alikins, bbuckingham, bkearney, cpelland, dgoodwin, hbrock, kbidarka, mmccune
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-15 19:08:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 805690    
Bug Blocks:    

Description Corey Welton 2012-03-14 17:14:25 UTC 
Issue:
------

If user creates a third party repo without associating any GPG keys, syncs content and associates it with a system, that system will be unable to (by default) pull down the content.  It may be the case that this only occurs when there are packages in said repo that are signed but no key is provided/associated - not sure of the exact circumstances

That is to say, even though I have never explicitly associated a GPG key with my repo, the creation of the repo attributes in redhat.repo are nonetheless getting set to GPG checking.


Fix:
----

The solution to this would require fixes across katello and subscription-manager. This bz is for the katello side of things; an associated subscription-manager bz should be written up separately

The fix would invove - 
* Subscription manager:  Remove the default of "gpgcheck = 1", which cannot currently be overridden, from subscription manager - or at least allow upstream clients to enable/disable gpgchecking

* Katello: Add logic akin to
 if katello.repo(!gpgkey) then rhsm.gpgcheck == 0 else rhsm.gpgcheck = 1


Business case:
--------------

The end result is fairly undesirable: user cannot, by default, pull down content from these repos, at least not without (presumably) using --nogpg. But it seems to me that customers might have (security) policies in place disallowing use of --nogpg.



Other notes:

jweiss:
"seems to me gpgcheck=1 is correct.  if the packages are signed they should be checked by default.  if they are not signed, there's no problem"

This makes sense to some degree, but I still think there's a case to be made that users might create repos that have an assortment of signed and unsigned packages that, for whatever reason, they have explicitly not associated a gpg key with the repo, and don't want checking to take place.


alikins (who corrected some of my initial misstatements re: candlepin):

"More specifically, susbcription-manager has a default of gpgcheck=1.  (and no way to override that)

And, in the code that populates the repo info, gpgcheck is not one of the fields that are populate with info from candlepin.

And, candlepin neither stores, nor sends that info to subscription-manager.  (there is an OID allocated for it though, and python-rhsm support for getting it)."
Comment 3 Devan Goodwin 2012-03-21 18:23:59 UTC 
Are you getting gpgkey set to empty string in the repo files? My initial thought is to have subscription manager set gpgcheck = 0 if the gpgkey is empty, but that would require a client change. Is that out of the question due to "we must support shipped versions of subscription-manager" issues?

I actually can't see any way out of this without a client update.

We can also make gpgcheck a mutable repo property so it will be preserved, but again this is a client change in repolib.py.

The larger solution would be adding a new OID for gpgcheck to the OID schema, get the server populating it, get python-rhsm reading it, and subscription-manager writing it. To me though I don't think this is necessary.

I would propose that by default we set gpgcheck to 0 if gpgkey is empty, and flip the mutable switch on it so it will be preserved in any situation where the user wishes to override it regardless.
Comment 4 Adrian Likins 2012-03-21 18:27:38 UTC 
Pretty sure this is going to need a client change as well. At the moment the client is hardcoded for gpgcheck=1. The OID schema already has a attr for
gpgcheck. But...

1) the client doesn't do anything with it

2) candlepin never actually set's it

So we always fall back to the default of enabled.
Comment 14 Devan Goodwin 2012-04-11 12:21:38 UTC 
Hi Kedar, could you find your entitlement certificate in /etc/pki/entitlement and run a command like this on it, and paste the output back into this bz:

openssl x509 -text -in 7470122332792627778.pem
Comment 17 Devan Goodwin 2012-04-12 18:35:23 UTC 
It looks like somewhere along the way you set a GPG key url:

            1.3.6.1.4.1.2312.9.2.1334099306636.1.7: 
               
.Qhttps://scalpel.lab.eng.pnq.redhat.com/katello/api/repositories/1/gpg_key_content


Because this is present subscription-manager is assuming it should enable gpg key checking by default. 

Need to get this URL *off* the content, if the oid is empty it should pick up and disable gpgcheck.

Was this set in some Katello screen when the custom content was created? Can you try editing it to be blank?

If this does not work, could you report back, but also try with a new custom repo. (we are unsure if an edit will trickle down to candlepin)
Comment 18 Kedar Bidarkar 2012-04-13 10:34:59 UTC 
I have not added any GPGkeys, nor I am able to access the dir on the box.

Me not sure how to get it to be blank, as I have not added any gpgkeys.

Also on the SE node,

[root@xxxxx fed16]# pwd
/var/lib/pulp/published/gpg/ACME_Corporation/Library/custom/Fedora16/fed16
[root@xxxxx fed16]# ls
[root@xxxxx fed16]#
Comment 19 Kedar Bidarkar 2012-04-13 10:57:35 UTC 
The above dir shows that it has no gpgkeys added.

For a moment I thought,

may be as the below  custom url 

http://download.eng.pnq.redhat.com/pub/fedora/linux/releases/16/Fedora/x86_64/os/

has the gpgkeys with it, I decided to try it out using the katello repo

and it still produces the gpgkeyurl for the same.

 1.3.6.1.4.1.2312.9.2.1334288937635.1.1: 
                ..katello2
            1.3.6.1.4.1.2312.9.2.1334288937635.1.2: 
                .!ACME_Corporation_Katello_katello2
            1.3.6.1.4.1.2312.9.2.1334288937635.1.5: 
                ..Custom
            1.3.6.1.4.1.2312.9.2.1334288937635.1.6: 
                .-/ACME_Corporation/Dev/custom/Katello/katello2
            1.3.6.1.4.1.2312.9.2.1334288937635.1.7: 
                .Shttps://scalpel.lab.eng.pnq.redhat.com/katello/api/repositories/585/gpg_key_content
            1.3.6.1.4.1.2312.9.2.1334288937635.1.8:
Comment 20 Devan Goodwin 2012-04-13 12:07:53 UTC 
This is not necessarily something that would just be picked up from the content directory, it's more likely something that was set when the custom content was created in Katello.
Comment 21 Brad Buckingham 2012-04-13 19:06:48 UTC 
After investigation, we did find that as part of creating a repository Katello is always passing in a gpgurl to Candlepin for custom products/repos, even if the repo does not have a GPG key defined (provisioned within Katello).
Comment 22 Brad Buckingham 2012-04-13 19:12:07 UTC 
katello commit - 398c73bacda9d3517d2b0d667cf8d171742046bf

This commit contains a small modification so that during creation of a
product in candlepin, katello will only pass in the gpgurl, if a gpgkey
has been defined for the repository within katello.  This applies only to
custom products.

With this change, when a user uses subscription-manager to subscribe
to the content, if that content doesn't have a gpgkey defined in
katello the redhat.repo will have gpgcheck=0; otherwise, it will
have gpgcheck=1 with a url pointing to where it can be downloaded
from katello.
Comment 25 Kedar Bidarkar 2012-04-29 12:18:26 UTC 
[root@yyyyy yum.repos.d]# cat redhat.repo && cat /etc/redhat-release && rpm -qav | grep -i subscription-manager 
#
# Certificate-Based Repositories
# Managed by (rhsm) subscription-manager
#

[ACME_Corporation_Fedora16_fed16]
name = fed16
baseurl = https://xxx.redhat.com/pulp/repos/ACME_Corporation/Dev/custom/Fedora16/fed16
enabled = 1
gpgcheck = 0
sslverify = 1
sslcacert = /etc/rhsm/ca/candlepin-local.pem
sslclientkey = /etc/pki/entitlement/1066768550348597706-key.pem
sslclientcert = /etc/pki/entitlement/1066768550348597706.pem

Red Hat Enterprise Linux Server release 6.2 (Santiago)

subscription-manager-0.99.15-1.el6.x86_64


[root@xxxxx ~]# rpm -qav | grep -i katello 
katello-glue-candlepin-0.1.311-1.el6_2.noarch
katello-common-0.1.311-1.el6_2.noarch
katello-configure-0.1.107-1.el6.noarch
katello-candlepin-cert-key-pair-1.0-1.noarch
katello-cli-common-0.1.107-1.el6.noarch
katello-glue-pulp-0.1.311-1.el6_2.noarch
katello-selinux-0.1.10-1.el6.noarch
katello-qpid-broker-key-pair-1.0-1.noarch
katello-qpid-client-key-pair-1.0-1.noarch
katello-certs-tools-1.0.4-1.el6.noarch
katello-glue-foreman-0.1.311-1.el6_2.noarch
katello-0.1.311-1.el6_2.noarch
katello-all-0.1.311-1.el6_2.noarch
katello-cli-0.1.107-1.el6.noarch
[root@xxxxxx ~]# rpm -qav | grep -i candlepin
katello-glue-candlepin-0.1.311-1.el6_2.noarch
katello-candlepin-cert-key-pair-1.0-1.noarch
candlepin-0.5.26-1.el6.noarch
candlepin-tomcat6-0.5.26-1.el6.noarch
Comment 26 errata-xmlrpc 2012-05-15 19:08:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2012-0662.html
Comment 27 Mike McCune 2013-08-16 17:56:18 UTC 
getting rid of 6.0.0 version since that doesn't exist