Bug 1090682 - Base install of RHEL7 needs Red Hat GPG public key for yum gpg checking
Base install of RHEL7 needs Red Hat GPG public key for yum gpg checking
Status: CLOSED DUPLICATE of bug 998
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: anaconda (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Anaconda Maintenance Team
Release Test Team
Depends On:
  Show dependency treegraph
Reported: 2014-04-23 19:31 EDT by Ryan J Nicholson
Modified: 2014-04-30 08:38 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-04-30 08:38:59 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ryan J Nicholson 2014-04-23 19:31:54 EDT
Description of problem:

Unpacking RHEL isos and pointing to the repo with yum gives a "no public keys installed" message.

Version-Release number of selected component (if applicable):


How reproducible:

If a .repo file in yum.repos.d is set up without gpgcheck=no (ie, the default of gpg checking enabled is active), the message always appears.

Steps to Reproduce:
1. Unpack RHEL7 RC .iso.
2. Point to the repo w/ /etc/yum.repos.d/rhel7.repo.
3. Any yum command will report no public keys installed.

Actual results:

The user is presented with instructions for installing a public key to verify signed RPM packages.

Expected results:

The Red Hat public key should be installed by default so this message is suppressed.

Additional info:

Since this is on a test system not registered under a support contract, maybe the Red Hat public key is installed as part of the registration process. But I think it probably still should be included in the base install to make GPG checking work out of the box.
Comment 2 David Cantrell 2014-04-30 08:38:59 EDT
This is deliberate.  GPG keys are not present in the install environment and packages are installed without GPG key checking when using a supported install path.  GPG keys used to verify signed packages are installed on the target system (look in /etc/pki/rpm-gpg).  The GPG keys are delivered as part of the redhat-release package.

What you are describing though is outside of the normal installation environment.  If you are setting up the RHEL repos somewhere else, the GPG keys used to verify those packages are in the release tree at the top level.  You will need to provide those files to the receiving system in order to verify packages you install.

The core issue that I think you're getting at is the same as the discussion that has been going on in bug #998 for a long time.  It's a bootstrapping issue.  We cannot provide GPG keys on the install media in order to check signatures on packages because there's no way to trust those keys.  We have to provide the GPG keys externally and insist that users add them to their local RPM configuration before signature verification can work.  As stated above, this happens mostly for users when they follow a supported install path.  The only thing we don't do is automatically add the GPG keys to the RPM database.  The user is still prompted to verify that operation before it happens, but that occurs on the installed system.

*** This bug has been marked as a duplicate of bug 998 ***

Note You need to log in before you can comment on or make changes to this bug.