Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionJason Dickerson
2018-01-05 22:01:38 UTC
1. Proposed title of this feature request
RFE: Add ability for pulp to gpg sign repository metadata
2. What is the nature and description of the request?
If you include a gpg key with a repository in Satellite, some package manager plugins not only check gpg signatures on the rpms, but also on the repository metadata. Satellite does not currently
support gpg signing of the repository metadata, and such package managers encounter errors and fail.
3. Why does the customer need this? (List the business requirements here)
Customer has environments that use an alternate package manager which behaves in this fashion. Currently the only work around is to disable all gpg checking of packages and repository metadata.
4. How would the customer like to achieve this? (List the functional requirements here)
This feature is already in upstream pulp.
5. For each functional requirement listed in question 5, specify how Red Hat
and the customer can test to confirm the requirement is successfully implemented.
Once Satellite includes this feature, the customer will put the key back into the repository configuration, and ensure pulp is generating the appripriate repository metadata signing information.
6. Is there already an existing RFE upstream or in Red Hat bugzilla?
The gpg_sign_metadata option found on https://github.com/pulp/pulp_rpm/blob/cbb26f622cc870a70c11add9adbb92ebe0165ba8/docs/tech-reference/yum-plugins.rst
This also seems to correlate with https://pulp.plan.io/issues/3055
7. Does the customer have any specific timeline dependencies?
This is impacting part of their environment and while they understand this is new functionality, they would appreciate it as soon as possible.
8. Is the sales team involved in this request and do they have any additional input?
The TAM and SA are aware of the issue.
9. List any affected packages or components.
pulp plugin for yum repositories
10. Would the customer be able to assist in testing this functionality if implemented?
Absolutely!
Comment 2pulp-infra@redhat.com
2018-01-08 14:32:05 UTC
The Pulp upstream bug status is at ON_QA. Updating the external tracker on this bug.
Comment 3pulp-infra@redhat.com
2018-01-08 14:32:07 UTC
The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.
Comment 4pulp-infra@redhat.com
2018-01-08 15:01:49 UTC
All upstream Pulp bugs are at MODIFIED+. Moving this bug to POST.
Comment 6pulp-infra@redhat.com
2018-01-17 21:32:07 UTC
The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.
Comment 8Lukáš Hellebrandt
2018-09-19 14:01:27 UTC
I can't get this to work. It is possible that I am doing something wrong, but I am using the instructions from https://docs.pulpproject.org/plugins/pulp_rpm/tech-reference/yum-plugins.html . When I set gpg_sign_metadata to true, the metadata is still not signed.
1) Create "/etc/pulp/server/plugins.conf.d/yum_distributor.json", enter "{ "gpg_sign_metadata": true }"
2) # katello-service restart
3) publish the repo to a content view, with "Force Yum Metadata Regeneration" checked, promote it
4) # find / -name repomd.xml.asc -> doesn't find anything
5) # yum install -y <package_in_repo>
[...]
https://<FQDN>/pulp/repos/Default_Organization/test/testcv/custom/test/test/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.
To address this issue please refer to the below knowledge base article
https://access.redhat.com/articles/1320623
If above article doesn't help to resolve this issue please open a ticket with Red Hat Support.
Default_Organization_test_test | 2.1 kB 00:00:00
[...]
failure: repodata/repomd.xml.asc from Default_Organization_test_test: [Errno 256] No more mirrors to try.
https://<FQDN>/pulp/repos/Default_Organization/test/testcv/custom/test/test/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found
Uploading Enabled Repositories Report
Loaded plugins: product-id, subscription-manager
Comment 9pulp-infra@redhat.com
2018-09-19 14:04:38 UTC
Requesting needsinfo from upstream developer dkliban, ttereshc because the 'FailedQA' flag is set.
Comment 10pulp-infra@redhat.com
2018-09-19 15:05:55 UTC
Requesting needsinfo from upstream developer daviddavis because the 'FailedQA' flag is set.
Comment 12Lukáš Hellebrandt
2018-09-21 14:28:15 UTC
After Discussion with Dennis, failing this again because:
1) The feature is not documented in downstream at all.
2) The feature is not integrated well with the Satellite - it requires some manual configuration in config files.
3) I wasn't able to use the feature at all. Dennis thinks it's because wrong SELinux rules for GPG keys in /home/apache/.gnupg and is going to report it.
Comment 14pulp-infra@redhat.com
2018-09-21 14:32:45 UTC
Requesting needsinfo from upstream developer dkliban, ttereshc, daviddavis because the 'FailedQA' flag is set.
Comment 17pulp-infra@redhat.com
2018-09-21 17:33:18 UTC
All upstream Pulp bugs are at MODIFIED+. Moving this bug to POST.
This is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1410638
Comments 29 and 30 in that bug list additional unreleased changes which are required to effectively use this feature and to integrate this feature with Satellite.
Based upon comment 19, I'll move this to ON_DEV since the pulp changes are in. It should be noted that katello integration work will be done as part of bug 1410638 and planned for a future release.
Closing this one as a duplicate of older bug 1410638. That bugzilla references this one and also indicates that it is a duplicate.
*** This bug has been marked as a duplicate of bug 1410638 ***