Red Hat Bugzilla – Bug 842827
Gpg checking issue with custom contents
Last modified: 2012-08-24 09:28:35 EDT
Created attachment 600071 [details]
Description of problem:
Gpg checking is required for all custom repositories and contents but Red Hat fingerprint is deployed in the client repo file.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. create custom repository
2. upload custom contents __not signed by Red Hat__
3. create client contents entitlement and configuration rpm
4. deploy the configuration and try to install the custom contents
5. gpg issue is reported
No gpg issues with deploying custom contents either signed or not
See the screen log attached (of a recent 2.1 build)
committed to cloude
Created attachment 601741 [details]
Screen capture showing repository info
Created attachment 601742 [details]
Screen capture showing custom repo creation
I've attached 2 screen captures. One shows the new workflow for custom repo creation and the other shows the new information that is displayed on the repo info screen.
These are the changes to the custom repo creation workflow:
You're now asked if you want gpg signature turned on for content in a custom repository. If you answer yes, gpgcheck=1 will be set in the repo config generated for that custom repository.
If you answered yes to gpg checking, you're asked if the content will be signed by Red Hat. Answering yes to this will include the path to Red Hat's public gpg key in the repo config under gpgkey.
If you answered yes to gpg checking (and after the Red Hat gpg prompt), you're asked if the content will be signed by a custom gpg key. Answering yes to this will prompt for a path to a public gpg key to include in the repo config under gpgkey. After entering a public gpg key path, you're asked a y/n prompt if you want to enter another key. You can continue entering as many keys as you want.
You're never prompted for a private gpg key. It is still up to the customer to sign any of their custom rpm's or generated client configuration rpm's with their private gpg key(s) before uploading them to a custom repository in RHUI.
When rpm's are uploaded to a custom repository, there's no verification that they're signed by the gpg keys that they're supposed to be signed with. That doesn't happen until a client actually tries to install one of the rpm's.
*** Bug 845013 has been marked as a duplicate of this bug. ***
Created attachment 602745 [details]
Verifying screen log
Verified in build: RHEL-6.3-RHUI-2.1-20120801.0-Server-x86_64-DVD1.iso
Now custom protected repos do not require GPG signature checking upon content installation anymore. See the screen log attached.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
This update of Red Hat Update Infrastructure now allows you to turn on gpg signature checking for content in a custom repository.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.