1. Proposed title of this feature request RFE: Add ability for pulp to gpg sign repository metadata 2. What is the nature and description of the request? If you include a gpg key with a repository in Satellite, some package manager plugins not only check gpg signatures on the rpms, but also on the repository metadata. Satellite does not currently support gpg signing of the repository metadata, and such package managers encounter errors and fail. 3. Why does the customer need this? (List the business requirements here) Customer has environments that use an alternate package manager which behaves in this fashion. Currently the only work around is to disable all gpg checking of packages and repository metadata. 4. How would the customer like to achieve this? (List the functional requirements here) This feature is already in upstream pulp. 5. For each functional requirement listed in question 5, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented. Once Satellite includes this feature, the customer will put the key back into the repository configuration, and ensure pulp is generating the appripriate repository metadata signing information. 6. Is there already an existing RFE upstream or in Red Hat bugzilla? The gpg_sign_metadata option found on https://github.com/pulp/pulp_rpm/blob/cbb26f622cc870a70c11add9adbb92ebe0165ba8/docs/tech-reference/yum-plugins.rst This also seems to correlate with https://pulp.plan.io/issues/3055 7. Does the customer have any specific timeline dependencies? This is impacting part of their environment and while they understand this is new functionality, they would appreciate it as soon as possible. 8. Is the sales team involved in this request and do they have any additional input? The TAM and SA are aware of the issue. 9. List any affected packages or components. pulp plugin for yum repositories 10. Would the customer be able to assist in testing this functionality if implemented? Absolutely!
The Pulp upstream bug status is at ON_QA. Updating the external tracker on this bug.
The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.
All upstream Pulp bugs are at MODIFIED+. Moving this bug to POST.
The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.
I can't get this to work. It is possible that I am doing something wrong, but I am using the instructions from https://docs.pulpproject.org/plugins/pulp_rpm/tech-reference/yum-plugins.html . When I set gpg_sign_metadata to true, the metadata is still not signed. 1) Create "/etc/pulp/server/plugins.conf.d/yum_distributor.json", enter "{ "gpg_sign_metadata": true }" 2) # katello-service restart 3) publish the repo to a content view, with "Force Yum Metadata Regeneration" checked, promote it 4) # find / -name repomd.xml.asc -> doesn't find anything 5) # yum install -y <package_in_repo> [...] https://<FQDN>/pulp/repos/Default_Organization/test/testcv/custom/test/test/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found Trying other mirror. To address this issue please refer to the below knowledge base article https://access.redhat.com/articles/1320623 If above article doesn't help to resolve this issue please open a ticket with Red Hat Support. Default_Organization_test_test | 2.1 kB 00:00:00 [...] failure: repodata/repomd.xml.asc from Default_Organization_test_test: [Errno 256] No more mirrors to try. https://<FQDN>/pulp/repos/Default_Organization/test/testcv/custom/test/test/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found Uploading Enabled Repositories Report Loaded plugins: product-id, subscription-manager
Requesting needsinfo from upstream developer dkliban, ttereshc because the 'FailedQA' flag is set.
Requesting needsinfo from upstream developer daviddavis because the 'FailedQA' flag is set.
You need to also set the 'gpgkey' on the distributor. Full docs: https://docs.pulpproject.org/en/2.16/plugins/pulp_rpm/tech-reference/yum-plugins.html#gpg-signing-of-repository-metadata
After Discussion with Dennis, failing this again because: 1) The feature is not documented in downstream at all. 2) The feature is not integrated well with the Satellite - it requires some manual configuration in config files. 3) I wasn't able to use the feature at all. Dennis thinks it's because wrong SELinux rules for GPG keys in /home/apache/.gnupg and is going to report it.
Requesting needsinfo from upstream developer dkliban, ttereshc, daviddavis because the 'FailedQA' flag is set.
This is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1410638 Comments 29 and 30 in that bug list additional unreleased changes which are required to effectively use this feature and to integrate this feature with Satellite.
We are going to handle this in https://bugzilla.redhat.com/show_bug.cgi?id=1410638 The pulp backend changes will land in 6.5 but the full support for this RFE will be handled and tracked in 1410638.
Based upon comment 19, I'll move this to ON_DEV since the pulp changes are in. It should be noted that katello integration work will be done as part of bug 1410638 and planned for a future release.
Closing this one as a duplicate of older bug 1410638. That bugzilla references this one and also indicates that it is a duplicate. *** This bug has been marked as a duplicate of bug 1410638 ***