Bug 741293 - gpgkey field of repo files incorrect (on rhsm client machines)
Summary: gpgkey field of repo files incorrect (on rhsm client machines)
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: subscription-manager
Version: 5.7
Hardware: x86_64
OS: Unspecified
Target Milestone: rc
: 5.8
Assignee: Bryan Kearney
Depends On:
Blocks: 715031 771748
TreeView+ depends on / blocked
Reported: 2011-09-26 14:11 UTC by Jeff Weiss
Modified: 2014-11-09 22:51 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-12-10 21:42:48 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0033 0 normal SHIPPED_LIVE subscription-manager bug fix and enhancement update 2013-01-08 08:38:27 UTC

Description Jeff Weiss 2011-09-26 14:11:29 UTC
Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create a product/repo and sync it
2. Create an env in ACME_Corporation
3. Register with RHSM 
3.5 (workaround) echo $YOURENVNAME > /etc/yum/vars/env
4. subscribe to the product

Actual results:
in /etc/yum.repos.d/redhat.repo, gpgkey = whatever you set "baseurl" to in /etc/rhsm/rhsm.conf

Expected results:
gpgkey = [something appended to the baseurl to point to an actual key]

Additional info:

Comment 1 Dmitri Dolguikh 2011-09-29 10:58:54 UTC
this is an issue with subscription-manager. could you file it rhsm guys pls.?

Comment 2 Jeff Weiss 2011-09-29 12:20:47 UTC
Please do not mark bugs ON_QA or MODIFIED unless there is a commit that fixes the bug.

Comment 5 Jeff Weiss 2011-09-29 15:50:28 UTC
No, the issue is broader than that - yum fails because of missing gpg keys.  I have no idea where the key is supposed to be, but it's certainly not in the location pointed to by the repo file produced by RHSM.  I am not sure whether work needs to be done on katello or RHSM or both to get this link to work.

Comment 10 Jeff Weiss 2011-10-17 14:59:56 UTC
I'm not sure what the fix was, it appears that the gpgkey entry was simply removed from the repo file.  I don't think that is not the correct solution - these packages are signed, the key needs to be there.  I added the EPEL repo to katello and tried to install a package from it, I get

Public key for p7zip-9.20.1-2.el6.x86_64.rpm is not installed

I am not sure how we intend to handle these keys (will it be automatic or will we expect end users to import the keys via their own trusted mechanism?).  We should figure this out before we close this bug.  I would have expected the katello/pulp/cp stack to know where the key is and push that info to RHSM.

Comment 15 Bryan Kearney 2011-12-14 21:28:20 UTC
Looking back at the fix:

If the gpg key is provided by katello, then it will show up in the yum repo file. if what is provied is a relative path, then it will be prepended with the baseurl from rhsm.conf.

I would suggest retesting with custom products with no gpg keys, and with redhat content.

-- bk

Comment 17 RHEL Program Management 2012-09-17 14:58:51 UTC
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.

Comment 19 John Sefler 2012-10-23 20:47:20 UTC
Verifying version...
Katello Version: 1.2.1-1.git.2.10b2e82.el6_3
[root@jsefler-rhel59 ~]# rpm -q subscription-manager python-rhsm

Working with jweiss, two subscriptions were setup on the katello server:
 1 containing content without a gpgkey
 2 containing content requiring a gpgkey

After subscribing...

[root@jsefler-rhel59 ~]# grep baseurl /etc/rhsm/rhsm.conf

[root@jsefler-rhel59 ~]# cat /etc/yum.repos.d/redhat.repo 
# Certificate-Based Repositories
# Managed by (rhsm) subscription-manager
# If this file is empty and this system is subscribed consider 
# a "yum repolist" to refresh available repos

name = safari-x86_64-1023-141300-229
baseurl = https://10-16-120-165.dhcp.rhq.lab.eng.bos.redhat.com/pulp/repos/ACME_Corporation/Development//custom/safari-1_0-1023-141300-229/safari-x86_64-1023-141300-229
enabled = 1
gpgcheck = 0
sslverify = 1
sslcacert = /etc/rhsm/ca/candlepin-local.pem
sslclientkey = /etc/pki/entitlement/8348727650157286836-key.pem
sslclientcert = /etc/pki/entitlement/8348727650157286836.pem

name = epel-x86_64
baseurl = https://10-16-120-165.dhcp.rhq.lab.eng.bos.redhat.com/pulp/repos/ACME_Corporation/Development//custom/Extra_Packages/epel-x86_64
enabled = 1
gpgcheck = 1
gpgkey = https://10-16-120-165.dhcp.rhq.lab.eng.bos.redhat.com/katello/api/repositories/37/gpg_key_content
sslverify = 1
sslcacert = /etc/rhsm/ca/candlepin-local.pem
sslclientkey = /etc/pki/entitlement/8975838015483720818-key.pem
sslclientcert = /etc/pki/entitlement/8975838015483720818.pem
[root@jsefler-rhel59 ~]# 

For case 1: notice above that repo ACME_Corporation_safari-1_0-1023-141300-229_safari-x86_64-1023-141300-229 has no gpgkey entry and gpgcheck=0

For case 2: notice above that repo ACME_Corporation_Extra_Packages_epel-x86_64 has a gpgkey (not prepended with baseurl) and gpgcheck=1  as stated in comment 15.  Moreover using wget on the gpgkey listed in the repo actually retrieves the gpgkey.

Moving to VERIFIED

Comment 21 Bryan Kearney 2012-12-10 21:42:48 UTC
Bug clean up, these are in the current release.

Note You need to log in before you can comment on or make changes to this bug.