Hide Forgot
as per #803428, subscription-manager never sets the gpgcheck variable in yum repo configuration files to anything other than the default gpgcheck=1. It should get this info from the content cert (it exists in the oid, and the content certificate object) and populate it in the repo file. Note that current versions of candlepin do not populate this field in the entitlement cert, so both will need to be updated.
Whoever picks this up should double check on the OID, I can't find one for gpgcheck. I see enabled just below GPG key but I believe that is repo enabled, not GPG enabled. Suggestion from other thread is to see if we can assume empty GPG key URL implies gpgcheck disabled and consider the problem solved.
Fixed in subscription-manager.git 6381e7c041b9822cbebb526ebb374c65dde615f3 Will appear in subscription-manager-0.99.12-1.
Verifying Version.... [root@jsefler-r63-server ~]# rpm -q subscription-manager subscription-manager-0.99.14-1.el6.x86_64 To test this bug, the following content with gpg_url=null and gpg_url="" was added to the test_data.json that is used to deploy candlepin with TESTDATA and the content was included in the "Awesome OS Server Bits" product. { "name": "content-nogpg", "id": 234, "label": "content-label-no-gpg", "type": "yum", "vendor": "test-vendor", "content_url": "/foo/path", "metadata_expire": 0 }, { "name": "content-emptygpg", "id": 235, "label": "content-label-empty-gpg", "type": "yum", "vendor": "test-vendor", "content_url": "/foo/path", "gpg_url": "", "metadata_expire": 0 }, After re-deploying the candlepin server with the data above, I registered a client and consumed the entitlements as shown below... [root@jsefler-r63-server ~]# subscription-manager register --username testuser1 --password password --org admin The system has been registered with id: f2afc97e-f745-4d8f-84ae-512401cb3d5f [root@jsefler-r63-server ~]# subscription-manager list --avail | grep awesomeos-server-basic -A1 Product Id: awesomeos-server-basic Pool Id: 8a90f81436bc924b0136bc9341a80264 -- Product Id: awesomeos-server-basic Pool Id: 8a90f81436bc924b0136bc9341e00272 -- Product Id: awesomeos-server-basic-me Pool Id: 8a90f81436bc924b0136bc93429a028c -- Product Id: awesomeos-server-basic-me Pool Id: 8a90f81436bc924b0136bc9342c10299 [root@jsefler-r63-server ~]# subscription-manager subscribe --pool 8a90f81436bc924b0136bc9341a80264 Successfully consumed a subscription from the pool with id 8a90f81436bc924b0136bc9341a80264. [root@jsefler-r63-server ~]# yum repolist 2>/dev/null Loaded plugins: product-id, refresh-packagekit, security, subscription- : manager Updating certificate-based repositories. repo id repo name status always-enabled-content always-enabled-content 0 content-label content 0 content-label-empty-gpg content-emptygpg 0 content-label-no-gpg content-nogpg 0 repolist: 0 [root@jsefler-r63-server ~]# [root@jsefler-r63-server ~]# cat /etc/yum.repos.d/redhat.repo # # Certificate-Based Repositories # Managed by (rhsm) subscription-manager # # If this file is empty and this system is subscribed consider # a "yum repolist" to refresh available repos # [content-label-empty-gpg] name = content-emptygpg baseurl = https://cdn.redhat.com/foo/path enabled = 1 gpgcheck = 0 sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem sslclientkey = /etc/pki/entitlement/5246619256293308175-key.pem sslclientcert = /etc/pki/entitlement/5246619256293308175.pem metadata_expire = 0 [content-label] name = content baseurl = https://cdn.redhat.com/foo/path enabled = 1 gpgcheck = 1 gpgkey = https://cdn.redhat.com/foo/path/gpg/ sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem sslclientkey = /etc/pki/entitlement/5246619256293308175-key.pem sslclientcert = /etc/pki/entitlement/5246619256293308175.pem metadata_expire = 0 [content-label-no-gpg] name = content-nogpg baseurl = https://cdn.redhat.com/foo/path enabled = 1 gpgcheck = 0 sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem sslclientkey = /etc/pki/entitlement/5246619256293308175-key.pem sslclientcert = /etc/pki/entitlement/5246619256293308175.pem metadata_expire = 0 [always-enabled-content] name = always-enabled-content baseurl = https://cdn.redhat.com/foo/path/always/$releasever enabled = 1 gpgcheck = 1 gpgkey = https://cdn.redhat.com/foo/path/always/gpg sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem sslclientkey = /etc/pki/entitlement/5246619256293308175-key.pem sslclientcert = /etc/pki/entitlement/5246619256293308175.pem metadata_expire = 200 [never-enabled-content] name = never-enabled-content baseurl = https://cdn.redhat.com/foo/path/never enabled = 0 gpgcheck = 1 gpgkey = https://cdn.redhat.com/foo/path/never/gpg sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem sslclientkey = /etc/pki/entitlement/5246619256293308175-key.pem sslclientcert = /etc/pki/entitlement/5246619256293308175.pem metadata_expire = 600 [root@jsefler-r63-server ~]# Notice in the yum redhat.repo above that gpgcheck is now set to 0 for content-label-no-gpg and content-label-empty-gpg where there is no gpgkey since there was no gpg_url in the content namespace. Moving to VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0804.html