Hide Forgot
Issue: ------ If user creates a third party repo without associating any GPG keys, syncs content and associates it with a system, that system will be unable to (by default) pull down the content. It may be the case that this only occurs when there are packages in said repo that are signed but no key is provided/associated - not sure of the exact circumstances That is to say, even though I have never explicitly associated a GPG key with my repo, the creation of the repo attributes in redhat.repo are nonetheless getting set to GPG checking. Fix: ---- The solution to this would require fixes across katello and subscription-manager. This bz is for the katello side of things; an associated subscription-manager bz should be written up separately The fix would invove - * Subscription manager: Remove the default of "gpgcheck = 1", which cannot currently be overridden, from subscription manager - or at least allow upstream clients to enable/disable gpgchecking * Katello: Add logic akin to if katello.repo(!gpgkey) then rhsm.gpgcheck == 0 else rhsm.gpgcheck = 1 Business case: -------------- The end result is fairly undesirable: user cannot, by default, pull down content from these repos, at least not without (presumably) using --nogpg. But it seems to me that customers might have (security) policies in place disallowing use of --nogpg. Other notes: jweiss: "seems to me gpgcheck=1 is correct. if the packages are signed they should be checked by default. if they are not signed, there's no problem" This makes sense to some degree, but I still think there's a case to be made that users might create repos that have an assortment of signed and unsigned packages that, for whatever reason, they have explicitly not associated a gpg key with the repo, and don't want checking to take place. alikins (who corrected some of my initial misstatements re: candlepin): "More specifically, susbcription-manager has a default of gpgcheck=1. (and no way to override that) And, in the code that populates the repo info, gpgcheck is not one of the fields that are populate with info from candlepin. And, candlepin neither stores, nor sends that info to subscription-manager. (there is an OID allocated for it though, and python-rhsm support for getting it)."
Are you getting gpgkey set to empty string in the repo files? My initial thought is to have subscription manager set gpgcheck = 0 if the gpgkey is empty, but that would require a client change. Is that out of the question due to "we must support shipped versions of subscription-manager" issues? I actually can't see any way out of this without a client update. We can also make gpgcheck a mutable repo property so it will be preserved, but again this is a client change in repolib.py. The larger solution would be adding a new OID for gpgcheck to the OID schema, get the server populating it, get python-rhsm reading it, and subscription-manager writing it. To me though I don't think this is necessary. I would propose that by default we set gpgcheck to 0 if gpgkey is empty, and flip the mutable switch on it so it will be preserved in any situation where the user wishes to override it regardless.
Pretty sure this is going to need a client change as well. At the moment the client is hardcoded for gpgcheck=1. The OID schema already has a attr for gpgcheck. But... 1) the client doesn't do anything with it 2) candlepin never actually set's it So we always fall back to the default of enabled.
Hi Kedar, could you find your entitlement certificate in /etc/pki/entitlement and run a command like this on it, and paste the output back into this bz: openssl x509 -text -in 7470122332792627778.pem
It looks like somewhere along the way you set a GPG key url: 1.3.6.1.4.1.2312.9.2.1334099306636.1.7: .Qhttps://scalpel.lab.eng.pnq.redhat.com/katello/api/repositories/1/gpg_key_content Because this is present subscription-manager is assuming it should enable gpg key checking by default. Need to get this URL *off* the content, if the oid is empty it should pick up and disable gpgcheck. Was this set in some Katello screen when the custom content was created? Can you try editing it to be blank? If this does not work, could you report back, but also try with a new custom repo. (we are unsure if an edit will trickle down to candlepin)
I have not added any GPGkeys, nor I am able to access the dir on the box. Me not sure how to get it to be blank, as I have not added any gpgkeys. Also on the SE node, [root@xxxxx fed16]# pwd /var/lib/pulp/published/gpg/ACME_Corporation/Library/custom/Fedora16/fed16 [root@xxxxx fed16]# ls [root@xxxxx fed16]#
The above dir shows that it has no gpgkeys added. For a moment I thought, may be as the below custom url http://download.eng.pnq.redhat.com/pub/fedora/linux/releases/16/Fedora/x86_64/os/ has the gpgkeys with it, I decided to try it out using the katello repo and it still produces the gpgkeyurl for the same. 1.3.6.1.4.1.2312.9.2.1334288937635.1.1: ..katello2 1.3.6.1.4.1.2312.9.2.1334288937635.1.2: .!ACME_Corporation_Katello_katello2 1.3.6.1.4.1.2312.9.2.1334288937635.1.5: ..Custom 1.3.6.1.4.1.2312.9.2.1334288937635.1.6: .-/ACME_Corporation/Dev/custom/Katello/katello2 1.3.6.1.4.1.2312.9.2.1334288937635.1.7: .Shttps://scalpel.lab.eng.pnq.redhat.com/katello/api/repositories/585/gpg_key_content 1.3.6.1.4.1.2312.9.2.1334288937635.1.8:
This is not necessarily something that would just be picked up from the content directory, it's more likely something that was set when the custom content was created in Katello.
After investigation, we did find that as part of creating a repository Katello is always passing in a gpgurl to Candlepin for custom products/repos, even if the repo does not have a GPG key defined (provisioned within Katello).
katello commit - 398c73bacda9d3517d2b0d667cf8d171742046bf This commit contains a small modification so that during creation of a product in candlepin, katello will only pass in the gpgurl, if a gpgkey has been defined for the repository within katello. This applies only to custom products. With this change, when a user uses subscription-manager to subscribe to the content, if that content doesn't have a gpgkey defined in katello the redhat.repo will have gpgcheck=0; otherwise, it will have gpgcheck=1 with a url pointing to where it can be downloaded from katello.
[root@yyyyy yum.repos.d]# cat redhat.repo && cat /etc/redhat-release && rpm -qav | grep -i subscription-manager # # Certificate-Based Repositories # Managed by (rhsm) subscription-manager # [ACME_Corporation_Fedora16_fed16] name = fed16 baseurl = https://xxx.redhat.com/pulp/repos/ACME_Corporation/Dev/custom/Fedora16/fed16 enabled = 1 gpgcheck = 0 sslverify = 1 sslcacert = /etc/rhsm/ca/candlepin-local.pem sslclientkey = /etc/pki/entitlement/1066768550348597706-key.pem sslclientcert = /etc/pki/entitlement/1066768550348597706.pem Red Hat Enterprise Linux Server release 6.2 (Santiago) subscription-manager-0.99.15-1.el6.x86_64 [root@xxxxx ~]# rpm -qav | grep -i katello katello-glue-candlepin-0.1.311-1.el6_2.noarch katello-common-0.1.311-1.el6_2.noarch katello-configure-0.1.107-1.el6.noarch katello-candlepin-cert-key-pair-1.0-1.noarch katello-cli-common-0.1.107-1.el6.noarch katello-glue-pulp-0.1.311-1.el6_2.noarch katello-selinux-0.1.10-1.el6.noarch katello-qpid-broker-key-pair-1.0-1.noarch katello-qpid-client-key-pair-1.0-1.noarch katello-certs-tools-1.0.4-1.el6.noarch katello-glue-foreman-0.1.311-1.el6_2.noarch katello-0.1.311-1.el6_2.noarch katello-all-0.1.311-1.el6_2.noarch katello-cli-0.1.107-1.el6.noarch [root@xxxxxx ~]# rpm -qav | grep -i candlepin katello-glue-candlepin-0.1.311-1.el6_2.noarch katello-candlepin-cert-key-pair-1.0-1.noarch candlepin-0.5.26-1.el6.noarch candlepin-tomcat6-0.5.26-1.el6.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2012-0662.html
getting rid of 6.0.0 version since that doesn't exist