Bug 846405
| Summary: | having imported public key, custom content available for installation even though the key is not present in the repo file gpgkey entry | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Update Infrastructure for Cloud Providers | Reporter: | mkovacik | ||||||
| Component: | Tools | Assignee: | wes hayutin <whayutin> | ||||||
| Status: | CLOSED NOTABUG | QA Contact: | mkovacik | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | 2.1 | CC: | jslagle, tsanders, whayutin | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2012-08-09 15:07:38 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 602815 [details]
Rhel content screen log
The same observed with "disabled" Red Hat content. See the screen log.
What custom content was uploaded to the repository? In the steps to reproduce, you say you only upload Red Hat Content. It's hard to determine which rpm's you intend to show as Red Hat content vs custom content in the screen log (e.g, is ksh Red Hat content or custom content?). I think the thing to keep in mind here is that the gpgkey setting in the yum repo config is keys that should be imported *only if* a package is encountered that is signed by a gpg key that is not already imported. Just removing a gpg key from that config option is not going to prevent yum from installing packages signed with that key if the key has already been imported into rpm's gpg keyring. Check the man page for yum.conf for a better explanation of how this works. They probably do a better job of explaining it than I do. But based on what I gather from your steps and screen log, I'm thinking this is not a bug. The error: ================================================================================================================================================================================ Package Arch Version Repository Size ================================================================================================================================================================================ Installing: rsh x86_64 0.17-60.el6 rhui-custom-10000 47 k Transaction Summary ================================================================================================================================================================================ Install 1 Package(s) Total size: 47 k Installed size: 77 k Is this ok [y/N]: y Downloading Packages: warning: rpmts_HdrFromFdno: Header V4 RSA/SHA1 Signature, key ID 86a9d71a: NOKEY Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-RPM-GPG-Key-mkovacik The GPG keys listed for the "Custom Repositories - 10000" repository are already installed but they are not correct for this package. Check that the correct key URLs are configured for this repository. Could you please add the output of rpm --checksig -v rsh-$package I'm sorry for the confusion; here, just the zsh rpm is considered Red Hat content as I haven't tampered with the signature on it. The rest (bhello, ksh, rsh) are custom in the sense I've either removed signature from them (bhello) resigned it with a key that is uploaded during the custom repo creation (ksh) and resigned it with a key that isn't uploaded (rsh).
With regards to imported vs not imported keys and the content of gpgkey variable in repo files---if this is expected, no problem with me---please switch to Not a bug...
### Screen log showing the keys used on the rpms
[mkovacik@malina gpg_testing]$ find ./ -name "*.rpm" -exec rpm --checksig -v {} \;
./my_bad/rsh-0.17-60.el6.x86_64.rpm:
Header V4 RSA/SHA1 Signature, key ID 86a9d71a: NOKEY
Header SHA1 digest: OK (f6f4437372de90308c25e3f11d190648eb9c8998)
V4 RSA/SHA1 Signature, key ID 86a9d71a: NOKEY
MD5 digest: OK (448f6d2fab98d43a3eca10b55f06964b)
./rhel/zsh-4.3.10-5.el6.x86_64.rpm:
Header V3 RSA/SHA256 Signature, key ID fd431d51: OK
Header SHA1 digest: OK (9cbd12948cb95d5f142dbf466934a7da75e62e69)
V3 RSA/SHA256 Signature, key ID fd431d51: OK
MD5 digest: OK (bd4253a4570ac038d06b6a150d37210d)
./none/bhello-0.1-1.el6.x86_64.rpm:
Header SHA1 digest: OK (2cadb1af593542e8666dfe754f9532372869b1bf)
MD5 digest: OK (cfcf6632bdd83bb01bcdf08e19d117ca)
./my_good/ksh-20100621-16.el6.x86_64.rpm:
Header V4 RSA/SHA1 Signature, key ID e626211f: OK
Header SHA1 digest: OK (a5e906b183aeece1f179f3f96619300b775bc684)
V4 RSA/SHA1 Signature, key ID e626211f: OK
MD5 digest: OK (c49f2e7a59d3253d495626c3342f6bac)
k.. matching the keys..
[root@domU-12-31-39-16-B9-17 ~]# rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
gpg-pubkey-fd431d51-4ae0493b --> gpg(Red Hat, Inc. (release key 2) <security>)
gpg-pubkey-2fa658e0-45700c69 --> gpg(Red Hat, Inc. (auxiliary key) <security>)
gpg-pubkey-e626211f-501f6ffd --> gpg(Milan Kovacik <mkovacik>)
gpg-pubkey-fd431d51-4ae0493b RH
gpg-pubkey-2fa658e0-45700c69 RH
gpg-pubkey-e626211f-501f6ffd Milan
rsh (key not imported) should fail
zsh (rh key) pass
bhello (no key) fail
ksh (milan key) pass
Milan's actual results:
* rsh fail message = The GPG keys listed for the "Custom Repositories - 10000" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository. (fail)
* zsh.x86_64 0:4.3.10-5.el6 (pass)
* Package bhello-0.1-1.el6.x86_64.rpm is not signed (fail)
* ksh.x86_64 0:20100621-16.el6 (pass)
I suspect name collision on milan's two custom keys..
This is one..
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-RPM-GPG-Key-mkovacik
Milan what is the other one called and what is the path??
I believe the gpg key that is protecting rsh is not the key listed in the repo file or there is a name collision. Milan please provide the requested info.
Thanks!
FYI.. use comment 4 and 5 together... 4 has the gpg sig of the rpms.. Agreed with dev that this is rather desired behavior |
Created attachment 602809 [details] Screen log Description of problem: Having previously imported a GPG public key, one is able to install custom signed content from a custom repository even thoug its repo file is set up such that only Red Hat content should be available to isntall. Version-Release number of selected component (if applicable): RHEL-6.3-RHUI-2.1-20120801.0-Server-x86_64-DVD1.iso How reproducible: 1 of 1 Steps to Reproduce: 1. create custom protected repo with GPG checking enabled, _Red Hat content only_ 2. upload Red Hat signed content 3. create entitlement and config rpm for the custom repository 4. on a client, import custom content gpg public key 5. on the client, install the custom content configuration rpm 6. install Red Hat content 7. install custom signed content what shouldn't pass Actual results: Having imported a custom content public key, one is able to install the content even thoug the repo file should prevent that. Expected results: Client is able to isntall only Red Hat content Additional info: - see the screen log attached - especially the installation of ksh (line 652)