Bug 842827

Summary: Gpg checking issue with custom contents
Product: Red Hat Update Infrastructure for Cloud Providers Reporter: mkovacik
Component: RHUAAssignee: mkovacik
Status: CLOSED ERRATA QA Contact: mkovacik
Severity: unspecified Docs Contact:
Priority: high    
Version: 2.1CC: jslagle, snansi, tsanders, whayutin
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
This update of Red Hat Update Infrastructure now allows you to turn on gpg signature checking for content in a custom repository.
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-24 11:55:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Screen log
none
Screen capture showing repository info
none
Screen capture showing custom repo creation
none
Verifying screen log none

Description mkovacik 2012-07-24 16:43:03 UTC
Created attachment 600071 [details]
Screen log

Description of problem:
Gpg checking is required for all custom repositories and contents but Red Hat fingerprint is deployed in the client repo file.

Version-Release number of selected component (if applicable):
2.0.x, RHEL-6.3-RHUI-2.1-20120705.0-Server-x86_64-DVD1.iso

How reproducible:
Always

Steps to Reproduce:
1. create custom repository
2. upload custom contents __not signed by Red Hat__
3. create client contents entitlement and configuration rpm
4. deploy the configuration and try to install the custom contents
5. gpg issue is reported


Expected results:
No gpg issues with deploying custom contents either signed or not

Additional info:
See the screen log attached (of a recent 2.1 build)

Comment 1 James Slagle 2012-07-27 19:03:48 UTC
committed to cloude
532dcf887a2674efeb57702267459f2806dd94c4
9b40c5c950373e8a0e1ed4d83964daf9a2c9f095

Comment 3 James Slagle 2012-08-01 12:56:59 UTC
Created attachment 601741 [details]
Screen capture showing repository info

Comment 4 James Slagle 2012-08-01 12:57:55 UTC
Created attachment 601742 [details]
Screen capture showing custom repo creation

Comment 5 James Slagle 2012-08-01 13:07:57 UTC
I've attached 2 screen captures.  One shows the new workflow for custom repo creation and the other shows the new information that is displayed on the repo info screen.

These are the changes to the custom repo creation workflow:

You're now asked if you want gpg signature turned on for content in a custom repository.  If you answer yes, gpgcheck=1 will be set in the repo config generated for that custom repository.

If you answered yes to gpg checking, you're asked if the content will be signed by Red Hat. Answering yes to this will include the path to Red Hat's public gpg key in the repo config under gpgkey.

If you answered yes to gpg checking (and after the Red Hat gpg prompt), you're asked if the content will be signed by a custom gpg key. Answering yes to this will prompt for a path to a public gpg key to include in the repo config under gpgkey.  After entering a public gpg key path, you're asked a y/n prompt if you want to enter another key.  You can continue entering as many keys as you want.

Some notes:
You're never prompted for a private gpg key.  It is still up to the customer to sign any of their custom rpm's or generated client configuration rpm's with their private gpg key(s) before uploading them to a custom repository in RHUI.

When rpm's are uploaded to a custom repository, there's no verification that they're signed by the gpg keys that they're supposed to be signed with.  That doesn't happen until a client actually tries to install one of the rpm's.

Comment 6 James Slagle 2012-08-02 14:19:14 UTC
*** Bug 845013 has been marked as a duplicate of this bug. ***

Comment 7 mkovacik 2012-08-07 13:11:39 UTC
Created attachment 602745 [details]
Verifying screen log

Verified in build: RHEL-6.3-RHUI-2.1-20120801.0-Server-x86_64-DVD1.iso
Now custom protected repos do not require GPG signature checking upon content installation anymore. See the screen log attached.

Comment 8 Shikha 2012-08-16 09:32:29 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
This update of Red Hat Update Infrastructure now allows you to turn on gpg signature checking for content in a custom repository.

Comment 10 errata-xmlrpc 2012-08-24 11:55:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2012-1205.html