1858231 – GPG key checking on SLES is all or nothing

Bug 1858231 - GPG key checking on SLES is all or nothing

Summary: GPG key checking on SLES is all or nothing

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Candlepin
Sub Component:
Version:	Unspecified
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	Unspecified
Assignee:	Jiri Hnidek
QA Contact:	Lai
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-07-17 10:19 UTC by Dirk Götz
Modified:	2021-05-26 19:32 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-26 19:32:05 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	candlepin subscription-manager pull 2309	0	None	Merged	1858231: Disable repository metadata gpg validation	2022-06-15 11:38:00 UTC
Red Hat Bugzilla	1764265	0	unspecified	CLOSED	Zypper commands do not run non-interactively on first attempt	2023-03-24 15:45:01 UTC

Description Dirk Götz 2020-07-17 10:19:23 UTC

Description of problem:
Subscription-manager sets gpgcheck to 1 if a gpg key is assigned to a repository which means checking of repository metadata and packages for SLES. With latest versions of the subscription-manager this can be overriden by setting gpgcheck to 0 in /etc/rhsm/zypper.conf but this means no checking at all. Having a gpg key assigned to a repository means in real that packages are signed but not the repository metadata, so for zypper it would be the setting pkg_gpgcheck = 1 instead of gpgcheck = 1. As a workaround you can override it at the moment by setting repo_gpgcheck = 0 because of the already set gpgcheck = 1 (subscription-manager repo-override --repo=REPONAME --add=repo_gpgcheck:0).

Version-Release number of selected component (if applicable):
subscription-manager 1.23.3-4.1.suse1315 and 1.28.0-1 tested

How reproducible:
Same behaviour with all versions, except override from zypper.conf is only available in latest versions ("fix" from https://bugzilla.redhat.com/show_bug.cgi?id=1764265).

Steps to Reproduce:
1. Upload a GPG key as Content Credential
2. Create a SLES product and assign the GPG key
3. Create a Repository
4. Register a SLES system so it gets access to the repository
5. Ensure the system wants to GPG check for the repository (zypper lr)
6. Ensure the system needs to get the latest metadata (zypper clean --all)
7. Download the latest metadata (zypper ref) and it will complain about unsigned metadata

Actual results:
You need to accept unsigned metadata manually or via cli parameter, alternative is only disabling gpg checking at all or use subscription-manager repo-override.

Expected results:
Only pkg_gpgcheck is set to 1 or additionally repo_gpgcheck is to 0, so zypper does not expect and so not complains about unsigned metadata.

Additional information:
https://bugzilla.redhat.com/show_bug.cgi?id=1764265 brought the workaround with zypper.conf to override gpgcheck to "solve" this problem

Note You need to log in before you can comment on or make changes to this bug.