Red Hat Bugzilla – Bug 1090682
Base install of RHEL7 needs Red Hat GPG public key for yum gpg checking
Last modified: 2014-04-30 08:38:59 EDT
Description of problem:
Unpacking RHEL isos and pointing to the repo with yum gives a "no public keys installed" message.
Version-Release number of selected component (if applicable):
If a .repo file in yum.repos.d is set up without gpgcheck=no (ie, the default of gpg checking enabled is active), the message always appears.
Steps to Reproduce:
1. Unpack RHEL7 RC .iso.
2. Point to the repo w/ /etc/yum.repos.d/rhel7.repo.
3. Any yum command will report no public keys installed.
The user is presented with instructions for installing a public key to verify signed RPM packages.
The Red Hat public key should be installed by default so this message is suppressed.
Since this is on a test system not registered under a support contract, maybe the Red Hat public key is installed as part of the registration process. But I think it probably still should be included in the base install to make GPG checking work out of the box.
This is deliberate. GPG keys are not present in the install environment and packages are installed without GPG key checking when using a supported install path. GPG keys used to verify signed packages are installed on the target system (look in /etc/pki/rpm-gpg). The GPG keys are delivered as part of the redhat-release package.
What you are describing though is outside of the normal installation environment. If you are setting up the RHEL repos somewhere else, the GPG keys used to verify those packages are in the release tree at the top level. You will need to provide those files to the receiving system in order to verify packages you install.
The core issue that I think you're getting at is the same as the discussion that has been going on in bug #998 for a long time. It's a bootstrapping issue. We cannot provide GPG keys on the install media in order to check signatures on packages because there's no way to trust those keys. We have to provide the GPG keys externally and insist that users add them to their local RPM configuration before signature verification can work. As stated above, this happens mostly for users when they follow a supported install path. The only thing we don't do is automatically add the GPG keys to the RPM database. The user is still prompted to verify that operation before it happens, but that occurs on the installed system.
*** This bug has been marked as a duplicate of bug 998 ***