Bug 842827 - Gpg checking issue with custom contents
Gpg checking issue with custom contents
Status: CLOSED ERRATA
Product: Red Hat Update Infrastructure for Cloud Providers
Classification: Red Hat
Component: RHUA (Show other bugs)
2.1
Unspecified Unspecified
high Severity unspecified
: ---
: ---
Assigned To: mkovacik
mkovacik
:
: 845013 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-24 12:43 EDT by mkovacik
Modified: 2012-08-24 09:28 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
This update of Red Hat Update Infrastructure now allows you to turn on gpg signature checking for content in a custom repository.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-24 07:55:37 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Screen log (8.88 KB, text/plain)
2012-07-24 12:43 EDT, mkovacik
no flags Details
Screen capture showing repository info (2.79 KB, text/plain)
2012-08-01 08:56 EDT, James Slagle
no flags Details
Screen capture showing custom repo creation (2.63 KB, text/plain)
2012-08-01 08:57 EDT, James Slagle
no flags Details
Verifying screen log (33.04 KB, text/plain)
2012-08-07 09:11 EDT, mkovacik
no flags Details

  None (edit)
Description mkovacik 2012-07-24 12:43:03 EDT
Created attachment 600071 [details]
Screen log

Description of problem:
Gpg checking is required for all custom repositories and contents but Red Hat fingerprint is deployed in the client repo file.

Version-Release number of selected component (if applicable):
2.0.x, RHEL-6.3-RHUI-2.1-20120705.0-Server-x86_64-DVD1.iso

How reproducible:
Always

Steps to Reproduce:
1. create custom repository
2. upload custom contents __not signed by Red Hat__
3. create client contents entitlement and configuration rpm
4. deploy the configuration and try to install the custom contents
5. gpg issue is reported


Expected results:
No gpg issues with deploying custom contents either signed or not

Additional info:
See the screen log attached (of a recent 2.1 build)
Comment 1 James Slagle 2012-07-27 15:03:48 EDT
committed to cloude
532dcf887a2674efeb57702267459f2806dd94c4
9b40c5c950373e8a0e1ed4d83964daf9a2c9f095
Comment 3 James Slagle 2012-08-01 08:56:59 EDT
Created attachment 601741 [details]
Screen capture showing repository info
Comment 4 James Slagle 2012-08-01 08:57:55 EDT
Created attachment 601742 [details]
Screen capture showing custom repo creation
Comment 5 James Slagle 2012-08-01 09:07:57 EDT
I've attached 2 screen captures.  One shows the new workflow for custom repo creation and the other shows the new information that is displayed on the repo info screen.

These are the changes to the custom repo creation workflow:

You're now asked if you want gpg signature turned on for content in a custom repository.  If you answer yes, gpgcheck=1 will be set in the repo config generated for that custom repository.

If you answered yes to gpg checking, you're asked if the content will be signed by Red Hat. Answering yes to this will include the path to Red Hat's public gpg key in the repo config under gpgkey.

If you answered yes to gpg checking (and after the Red Hat gpg prompt), you're asked if the content will be signed by a custom gpg key. Answering yes to this will prompt for a path to a public gpg key to include in the repo config under gpgkey.  After entering a public gpg key path, you're asked a y/n prompt if you want to enter another key.  You can continue entering as many keys as you want.

Some notes:
You're never prompted for a private gpg key.  It is still up to the customer to sign any of their custom rpm's or generated client configuration rpm's with their private gpg key(s) before uploading them to a custom repository in RHUI.

When rpm's are uploaded to a custom repository, there's no verification that they're signed by the gpg keys that they're supposed to be signed with.  That doesn't happen until a client actually tries to install one of the rpm's.
Comment 6 James Slagle 2012-08-02 10:19:14 EDT
*** Bug 845013 has been marked as a duplicate of this bug. ***
Comment 7 mkovacik 2012-08-07 09:11:39 EDT
Created attachment 602745 [details]
Verifying screen log

Verified in build: RHEL-6.3-RHUI-2.1-20120801.0-Server-x86_64-DVD1.iso
Now custom protected repos do not require GPG signature checking upon content installation anymore. See the screen log attached.
Comment 8 Shikha 2012-08-16 05:32:29 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
This update of Red Hat Update Infrastructure now allows you to turn on gpg signature checking for content in a custom repository.
Comment 10 errata-xmlrpc 2012-08-24 07:55:37 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2012-1205.html

Note You need to log in before you can comment on or make changes to this bug.