824581 – GPG Key added to product/repo not added to existing instances which are subscribed to that product/repo

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 824581 - GPG Key added to product/repo not added to existing instances which are subscribed to that product/repo

Summary: GPG Key added to product/repo not added to existing instances which are subsc...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Content Management
Sub Component:
Version:	6.0.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	Unspecified
Assignee:	Dmitri Dolguikh
QA Contact:	Og Maciel
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	814118 (view as bug list)
Depends On:
Blocks:	827554 827943
TreeView+	depends on / blocked

Reported:	2012-05-23 19:05 UTC by james labocki
Modified:	2019-09-26 15:53 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Adding a GPG key to a product repository after creation did not properly set the "gpgcheck" configuration option in the client's repo file. This fix updates the content and configuration files after adding a GPG key, which sets the "gpgcheck" configuration option.
Clone Of:
Clones:	827943 (view as bug list)
Environment:
Last Closed:	2012-12-04 19:46:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2012:1543	0	normal	SHIPPED_LIVE	Important: CloudForms System Engine 1.1 update	2012-12-05 00:39:57 UTC

Description james labocki 2012-05-23 19:05:43 UTC

In SystemEngine, adding a GPG key to a product/repo after it has been created causes gpgkey not to be added on the client's repo file (from subscription-manager plugin). When specifying the GPG key at product creation time it works fine.

Comment 1 Forrest Taylor 2012-05-29 16:00:05 UTC

I have experienced the same issue.  Running `subscription-manager refresh` does not remedy the issue either.

Comment 5 Mike McCune 2012-06-01 22:33:54 UTC

this bug is indeed fixed by 814118:

this repo config on my client was setup before with NO gpg key:

[ACME_Corporation_gpg-testproduct_test-no-gpg]
name = test-no-gpg
baseurl = https://sat-perf-04.idm.lab.bos.redhat.com/pulp/repos/ACME_Corporation/DEV/custom/gpg-testproduct/test-no-gpg
enabled = 1
gpgcheck = 1


I then added a GPG key to that repo and promoted it.  Ran 'subscription-manager refresh && yum repolist' on the client and it showed:

[ACME_Corporation_gpg-testproduct_test-no-gpg]
name = test-no-gpg
baseurl = https://sat-perf-04.idm.lab.bos.redhat.com/pulp/repos/ACME_Corporation/DEV/custom/gpg-testproduct/test-no-gpg
enabled = 1
gpgcheck = 1
gpgkey = https://sat-perf-04.idm.lab.bos.redhat.com/katello/api/repositories/10/gpg_key_content
sslverify = 1
sslcacert = /etc/rhsm/ca/candlepin-local.pem
sslclientkey = /etc/pki/entitlement/8739679596628872417-key.pem
sslclientcert = /etc/pki/entitlement/8739679596628872417.pem

since the 2 bugs are different behavior I think we should test both scenarios

Comment 8 Og Maciel 2012-09-16 13:17:51 UTC

Scenario #1: Started with a GPG key:

[AlphabetSoup_Zoo_Countries]
name = Countries
baseurl = https://qetello02.usersys.redhat.com/pulp/repos/AlphabetSoup/Cook//custom/Zoo/Countries
enabled = 1
gpgcheck = 1
gpgkey = https://qetello02.usersys.redhat.com/cfse/api/repositories/11/gpg_key_content
sslverify = 1
sslcacert = /etc/rhsm/ca/candlepin-local.pem
sslclientkey = /etc/pki/entitlement/4404120300149630446-key.pem
sslclientcert = /etc/pki/entitlement/4404120300149630446.pem

[AlphabetSoup_Zoo_Animals]
name = Animals
baseurl = https://qetello02.usersys.redhat.com/pulp/repos/AlphabetSoup/Cook//custom/Zoo/Animals
enabled = 1
gpgcheck = 1
gpgkey = https://qetello02.usersys.redhat.com/cfse/api/repositories/10/gpg_key_content
sslverify = 1
sslcacert = /etc/rhsm/ca/candlepin-local.pem
sslclientkey = /etc/pki/entitlement/4404120300149630446-key.pem
sslclientcert = /etc/pki/entitlement/4404120300149630446.pem

Comment 9 Og Maciel 2012-09-16 16:00:56 UTC

Scenario #2: Started without a GPG key:

Registed and subscribed system:

[Starbucks_Sumatra_Decaf]
name = Decaf
baseurl = https://qetello02.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Sumatra/Decaf
enabled = 1
gpgcheck = 0
sslverify = 1
sslcacert = /etc/rhsm/ca/candlepin-local.pem
sslclientkey = /etc/pki/entitlement/8070411902983536767-key.pem
sslclientcert = /etc/pki/entitlement/8070411902983536767.pem

[Starbucks_Ethiopia_Decaf]
name = Decaf
baseurl = https://qetello02.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Ethiopia/Decaf
enabled = 1
gpgcheck = 0
sslverify = 1
sslcacert = /etc/rhsm/ca/candlepin-local.pem
sslclientkey = /etc/pki/entitlement/2672051796109379031-key.pem
sslclientcert = /etc/pki/entitlement/2672051796109379031.pem

[Starbucks_Komodo_Gold_Coast]
name = Gold Coast
baseurl = https://qetello02.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Komodo/Gold_Coast
enabled = 1
gpgcheck = 0
sslverify = 1
sslcacert = /etc/rhsm/ca/candlepin-local.pem
sslclientkey = /etc/pki/entitlement/1244508361121645977-key.pem
sslclientcert = /etc/pki/entitlement/1244508361121645977.pem

[Starbucks_Komodo_Fair_Trade]
name = Fair Trade
baseurl = https://qetello02.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Komodo/Fair_Trade
enabled = 1
gpgcheck = 0
sslverify = 1
sslcacert = /etc/rhsm/ca/candlepin-local.pem
sslclientkey = /etc/pki/entitlement/1244508361121645977-key.pem
sslclientcert = /etc/pki/entitlement/1244508361121645977.pem


I then imported a GPG key and associated it with a product (fwiw provider has 3 different products and only one was selected for association with GPG key via web ui).


[root@qeclient20 ~]# service rhsmcertd restart
Stopping rhsmcertd                                         [  OK  ]
Starting rhsmcertd 240 1440                                [  OK  ]
[root@qeclient20 ~]# yum clean all
Loaded plugins: product-id, security, subscription-manager
Updating certificate-based repositories.

Please use yum-config-manager to configure which software
repositories are used with Red Hat Subscription Management.

Cleaning repos: Starbucks_Ethiopia_Decaf Starbucks_Komodo_Fair_Trade Starbucks_Komodo_Gold_Coast
              : Starbucks_Sumatra_Decaf
Cleaning up Everything
[root@qeclient20 ~]# yum repolist
Loaded plugins: product-id, security, subscription-manager
Updating certificate-based repositories.

Please use yum-config-manager to configure which software
repositories are used with Red Hat Subscription Management.

Starbucks_Ethiopia_Decaf                                                                     | 3.7 kB     00:00     
Starbucks_Ethiopia_Decaf/primary_db                                                          | 6.4 kB     00:00     
Starbucks_Komodo_Fair_Trade                                                                  | 2.3 kB     00:00     
Starbucks_Komodo_Fair_Trade/primary_db                                                       | 3.6 kB     00:00     
Starbucks_Komodo_Gold_Coast                                                                  | 2.3 kB     00:00     
Starbucks_Komodo_Gold_Coast/primary_db                                                       | 3.8 kB     00:00     
Starbucks_Sumatra_Decaf                                                                      | 3.4 kB     00:00     
Starbucks_Sumatra_Decaf/primary_db                                                           | 5.4 kB     00:00     
repo id                                                        repo name                                      status
Starbucks_Ethiopia_Decaf                                       Decaf                                          32
Starbucks_Komodo_Fair_Trade                                    Fair Trade                                      3
Starbucks_Komodo_Gold_Coast                                    Gold Coast                                      3
Starbucks_Sumatra_Decaf                                        Decaf                                          10
repolist: 48
[root@qeclient20 ~]# cat /etc/yum.repos.d/redhat.repo 
#
# Certificate-Based Repositories
# Managed by (rhsm) subscription-manager
#
# If this file is empty and this system is subscribed consider 
# a "yum repolist" to refresh available repos
#

[Starbucks_Sumatra_Decaf]
name = Decaf
baseurl = https://qetello02.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Sumatra/Decaf
enabled = 1
gpgcheck = 0
sslverify = 1
sslcacert = /etc/rhsm/ca/candlepin-local.pem
sslclientkey = /etc/pki/entitlement/8070411902983536767-key.pem
sslclientcert = /etc/pki/entitlement/8070411902983536767.pem

[Starbucks_Ethiopia_Decaf]
name = Decaf
baseurl = https://qetello02.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Ethiopia/Decaf
enabled = 1
gpgcheck = 0
sslverify = 1
sslcacert = /etc/rhsm/ca/candlepin-local.pem
sslclientkey = /etc/pki/entitlement/2672051796109379031-key.pem
sslclientcert = /etc/pki/entitlement/2672051796109379031.pem

[Starbucks_Komodo_Gold_Coast]
name = Gold Coast
baseurl = https://qetello02.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Komodo/Gold_Coast
enabled = 1
gpgcheck = 0
sslverify = 1
sslcacert = /etc/rhsm/ca/candlepin-local.pem
sslclientkey = /etc/pki/entitlement/1244508361121645977-key.pem
sslclientcert = /etc/pki/entitlement/1244508361121645977.pem

[Starbucks_Komodo_Fair_Trade]
name = Fair Trade
baseurl = https://qetello02.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Komodo/Fair_Trade
enabled = 1
gpgcheck = 0
sslverify = 1
sslcacert = /etc/rhsm/ca/candlepin-local.pem
sslclientkey = /etc/pki/entitlement/1244508361121645977-key.pem
sslclientcert = /etc/pki/entitlement/1244508361121645977.pem

Comment 13 David Davis 2012-09-20 19:40:14 UTC

I was able to reproduce this bug with the help of Justin. I tried a few different things with Candlepin but nothing seemed to add the gpg key to the client. I checked katello and it's properly storing the key and the gpgUrl in candlepin is there and it is accessible.

Comment 14 David Davis 2012-09-21 16:11:48 UTC

I fixed the bug where gpg key was not getting set. I've opened the pull request that should send the gpg key to the repos on the system:

https://github.com/Katello/katello/pull/729
SHA: fb5744d123ac6e32f86192ce29fdcb6b50f5e209

However, even though the gpg key is getting set properly now, gpgcheck still is set to 0 instead of 1. I've asked the candlepin guys to look into this. The gpgcheck bug is here:

https://bugzilla.redhat.com/show_bug.cgi?id=859434

Comment 15 Mike McCune 2012-09-24 21:02:42 UTC

what is really strange is I reproduced the issue above where the gpgcheck value was stuck at 0... 

I walked away from my desk can came back to the issue a few hours later and the gpgcheck was updated to 1:

before:

[ACME_Corporation_Random_random-noarch]
name = random-noarch
baseurl = https://dhcp77-129.rhndev.redhat.com/pulp/repos/ACME_Corporation/dev//custom/Random/random-noarch
enabled = 1
gpgcheck = 0
sslverify = 1
sslcacert = /etc/rhsm/ca/candlepin-local.pem
sslclientkey = /etc/pki/entitlement/6687192850652944804-key.pem
sslclientcert = /etc/pki/entitlement/6687192850652944804.pem

after:

[ACME_Corporation_Random_random-noarch]
name = random-noarch
baseurl = https://dhcp77-129.rhndev.redhat.com/pulp/repos/ACME_Corporation/dev//custom/Random/random-noarch
enabled = 1
gpgcheck = 1
sslverify = 1
sslcacert = /etc/rhsm/ca/candlepin-local.pem
sslclientkey = /etc/pki/entitlement/6687192850652944804-key.pem
sslclientcert = /etc/pki/entitlement/6687192850652944804.pem

I'm not sure yet what timing issue we are having .. will do a bit more digging

Comment 16 David Davis 2012-09-24 22:40:03 UTC

Whoa. Let me know what you find or let me know if I should take a look at it tomorrow.

Comment 17 David Davis 2012-10-01 14:33:27 UTC

Sorry the katello commit SHA is actually a609539ac3b4f9f72c155f15b7521ad4bfd1f429 and not fb5744d123ac6e32f86192ce29fdcb6b50f5e209.

Comment 19 David Davis 2012-10-01 20:56:19 UTC

Moving back to assigned as bug fix was reverted. I'll get with Justin and find out how to fix this problem without affecting the creation of repos.

Comment 20 David Davis 2012-10-05 17:13:06 UTC

Assigning to Dmitri as I believe he was working on a fix in Candlepin. Dmitri, let me know if I need to do anything in Katello. Thanks.

Comment 22 Dmitri Dolguikh 2012-10-08 13:41:35 UTC

fixed in 352d4dd6eb120ccd238658d7f8593163d77a8af2 in katello master.

Comment 24 Og Maciel 2012-10-09 15:01:17 UTC

Before adding a GPG key:

[root@qeclient01 ~]# cat /etc/yum.repos.d/redhat.repo 
#
# Certificate-Based Repositories
# Managed by (rhsm) subscription-manager
#
# If this file is empty and this system is subscribed consider 
# a "yum repolist" to refresh available repos
#

[Starbucks_Ethiopia_Decaf]
name = Decaf
baseurl = https://qetello04.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Ethiopia/Decaf
enabled = 1
gpgcheck = 0
sslverify = 1
sslcacert = /etc/rhsm/ca/candlepin-local.pem
sslclientkey = /etc/pki/entitlement/3030170799466065509-key.pem
sslclientcert = /etc/pki/entitlement/3030170799466065509.pem

[Starbucks_Komodo_Gold_Coast]
name = Gold Coast
baseurl = https://qetello04.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Komodo/Gold_Coast
enabled = 1
gpgcheck = 0
sslverify = 1
sslcacert = /etc/rhsm/ca/candlepin-local.pem
sslclientkey = /etc/pki/entitlement/792282951203242299-key.pem
sslclientcert = /etc/pki/entitlement/792282951203242299.pem

[Starbucks_Komodo_Fair_Trade]
name = Fair Trade
baseurl = https://qetello04.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Komodo/Fair_Trade
enabled = 1
gpgcheck = 0
sslverify = 1
sslcacert = /etc/rhsm/ca/candlepin-local.pem
sslclientkey = /etc/pki/entitlement/792282951203242299-key.pem
sslclientcert = /etc/pki/entitlement/792282951203242299.pem

After adding the gpg key

[root@qeclient01 ~]# cat /etc/yum.repos.d/redhat.repo 
#
# Certificate-Based Repositories
# Managed by (rhsm) subscription-manager
#
# If this file is empty and this system is subscribed consider 
# a "yum repolist" to refresh available repos
#

[Starbucks_Ethiopia_Decaf]
name = Decaf
baseurl = https://qetello04.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Ethiopia/Decaf
enabled = 1
gpgcheck = 0
sslverify = 1
sslcacert = /etc/rhsm/ca/candlepin-local.pem
sslclientkey = /etc/pki/entitlement/3030170799466065509-key.pem
sslclientcert = /etc/pki/entitlement/3030170799466065509.pem

[Starbucks_Komodo_Gold_Coast]
name = Gold Coast
baseurl = https://qetello04.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Komodo/Gold_Coast
enabled = 1
gpgcheck = 0
gpgkey = https://qetello04.usersys.redhat.com/cfse/api/repositories/38/gpg_key_content
sslverify = 1
sslcacert = /etc/rhsm/ca/candlepin-local.pem
sslclientkey = /etc/pki/entitlement/7280119511062001365-key.pem
sslclientcert = /etc/pki/entitlement/7280119511062001365.pem

[Starbucks_Komodo_Fair_Trade]
name = Fair Trade
baseurl = https://qetello04.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Komodo/Fair_Trade
enabled = 1
gpgcheck = 0
gpgkey = https://qetello04.usersys.redhat.com/cfse/api/repositories/37/gpg_key_content
sslverify = 1
sslcacert = /etc/rhsm/ca/candlepin-local.pem
sslclientkey = /etc/pki/entitlement/7280119511062001365-key.pem
sslclientcert = /etc/pki/entitlement/7280119511062001365.pem


So the gpg key bit was added to my client's repo file but gpgcheck is still disabled. I am not sure what version of candlepin this BZ requires to properly verify though. My environment:

* candlepin-0.7.8.1-1.el6cf.noarch
* candlepin-selinux-0.7.8.1-1.el6cf.noarch
* candlepin-tomcat6-0.7.8.1-1.el6cf.noarch
* katello-1.1.12-14.el6cf.noarch
* katello-all-1.1.12-14.el6cf.noarch
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.1.8-1.el6cf.noarch
* katello-cli-1.1.8-7.el6cf.noarch
* katello-cli-common-1.1.8-7.el6cf.noarch
* katello-common-1.1.12-14.el6cf.noarch
* katello-configure-1.1.9-7.el6cf.noarch
* katello-glue-candlepin-1.1.12-14.el6cf.noarch
* katello-glue-pulp-1.1.12-14.el6cf.noarch
* katello-qpid-broker-key-pair-1.0-1.noarch
* katello-qpid-client-key-pair-1.0-1.noarch
* katello-selinux-1.1.1-1.el6cf.noarch
* pulp-1.1.12-1.el6cf.noarch
* pulp-common-1.1.12-1.el6cf.noarch
* pulp-selinux-server-1.1.12-1.el6cf.noarch

Comment 25 Dmitri Dolguikh 2012-10-09 15:14:58 UTC

Katello/SYstem engine has no control over that setting. I'm not entirely sure about the details of the process, but yum repo config file is probably being updated by the subscriprion-manager yum plugin. Which takes time to pull updates from candlepin.

I'd suggest leave things as they are and come back later to check the state of the flag.

Comment 26 Mike McCune 2012-10-09 16:12:05 UTC

So you are hitting this RHSM bug:

https://bugzilla.redhat.com/show_bug.cgi?id=834125

if you do a:

# rm /etc/yum.repos.d/redhat.repo
# yum repolist 

you should see gpgcheck = 1

I tried qeclient01:

[Starbucks_Komodo_Fair_Trade]
name = Fair Trade
baseurl = https://qetello04.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Komodo/Fair_Trade
enabled = 1
gpgcheck = 1

Comment 27 Og Maciel 2012-10-09 16:14:23 UTC

Verified:

* candlepin-0.7.8.1-1.el6cf.noarch
* candlepin-selinux-0.7.8.1-1.el6cf.noarch
* candlepin-tomcat6-0.7.8.1-1.el6cf.noarch
* katello-1.1.12-14.el6cf.noarch
* katello-all-1.1.12-14.el6cf.noarch
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.1.8-1.el6cf.noarch
* katello-cli-1.1.8-7.el6cf.noarch
* katello-cli-common-1.1.8-7.el6cf.noarch
* katello-common-1.1.12-14.el6cf.noarch
* katello-configure-1.1.9-7.el6cf.noarch
* katello-glue-candlepin-1.1.12-14.el6cf.noarch
* katello-glue-pulp-1.1.12-14.el6cf.noarch
* katello-qpid-broker-key-pair-1.0-1.noarch
* katello-qpid-client-key-pair-1.0-1.noarch
* katello-selinux-1.1.1-1.el6cf.noarch
* pulp-1.1.12-1.el6cf.noarch
* pulp-common-1.1.12-1.el6cf.noarch
* pulp-selinux-server-1.1.12-1.el6cf.noarch

Comment 28 Mike McCune 2012-10-09 19:17:56 UTC

*** Bug 814118 has been marked as a duplicate of this bug. ***

Comment 30 errata-xmlrpc 2012-12-04 19:46:08 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-1543.html

Comment 31 Mike McCune 2013-08-16 18:15:00 UTC

getting rid of 6.0.0 version since that doesn't exist

Note You need to log in before you can comment on or make changes to this bug.