Katello 3.7 rpm packaged with incorrect gpg key

rgold73 · August 16, 2018, 5:59pm

Problem: katello-client-repos-3.7.0-3.el7.noarch.rpm. While attempting to extract rpm-gpg key for katello 3.7 from aforementioned rpm discovered that included gpg-key doesn’t match package signing.

steps:
rpm2cpio katello-client-repos-3.7.0-3.el7.noarch.rpm | cpio -ivd
cd to etc/pki/rpm-gpg directory in extracted package and get following key, that is 945 bytes in size.
Output of gpg key included in package:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFrnYrsBCACdWX3snKNJzYlOWKWQb0kZIcAx3A5xlFzMQdbyoJxfxR31WehN
g8jq/nHYnN6wGRAi/9ssTnbgB8Kd3DExZ7P4ICywbdPBtf7w0IHzbbuQm14yCgw3
pQPi73QubJTvWbqaOxDUPN7QD3wGgmXgEtzud0TlZZalw5wO2Gl/A+SQDHGETdAV
6fVMn/SvwajPYQDd/EtUJdeiMt4LS7yTuvfBd0+Tmr+LMqJGrjrp5zuxKjeHoKLq
NHZWAo0JkcIgnVMa//kNQ1qLRKMh0uFDNqH1Tbmo3athPFzff4JVPN8rm1WQIl1v
VaZNwMzZXbTyvLUh2e49aTVgGLj1y7RMmLDZABEBAAG0KkthdGVsbG8gMy43IDxm
b3JlbWFuLWRldkBnb29nbGVncm91cHMuY29tPokBPgQTAQIAKAUCWudiuwIbAwUJ
AsfqAAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ0YSXgk0NhZfgzQf7BEv/
a0au0VkzSvwGJutrrA8OOpJb73IaJTgas3mrePOMzaioAhX6AOl5wVaqbNGI/Qg7
Mr8qyTDL83mJUgowI/VTBdqOfVupFZygbv52srvnbBARxJ6+6hbZxYF0JijNydj4
lwan9aX2cdXDaSypf3lW8HmLSpMzJ9b02u4XEtrKlrjTaRU48e50GzFQgsYWmNd0
KLEU/PhoZXkM+yw91fffltHrzswVAau78mph1jra+0by8ngqK1cr6wmpJS7nGiAx
dtjadU9mXsMIocKs/nLhu0iNYARn5h/tXc4SIjrCL31YVE36x52OamYNmpI4MztV
fO+ha9EqzO9IWtSVpQ==
=M0NT
-----END PGP PUBLIC KEY BLOCK-----

This gpg-key wouldn’t even import.

Went to https://pgp.mit.edu and found https://pgp.mit.edu/pks/lookup?op=get&search=0xE913CD692884ECEF copied as RPM-GPG-KEY-katello
Was then able to import key: rpm --import RPM-GPG-KEY-katello
and verify that rpm matched the key from mit. New file is 993 bytes in size with output:

[root@ap00 rpm-gpg]# cat RPM-GPG-KEY-katello
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.6
Comment: Hostname: pgp.mit.edu

mQENBFmgfYoBCAC9EEEMUfybb3eOF+SxSEcEIY3ZehL/YweJKBOgTHuC0NNAbg8q5WR8ycA7
XwQPxi3pizWUjUeAYoUxk5bKaTrh5tbBNLsb/0kxgzXwMQ4OEmEWjdPtDLAyq5dmwxhvsQF+
xOiN0RHrnE/ad7BKqJ5tI4rdrrQI3G1oAF4qWwFn6acrsiHzYEuhNFlfCld03NNEqMc0Lvgs
O5+1Oqm9v0hqh2CX3ri4dlb5FwPKKRlvRiYHGQ7Oyhr6wKXHAMfP50n9NRevgAr7uzy1R87T
tdGL9jCPxnvMABxkSiDAGXonvp0ZoI7umrhXBd2RfgZ8cRQ/UtffGKxY1r4ZJyrhOVRdABEB
AAG0KkthdGVsbG8gMy41IDxmb3JlbWFuLWRldkBnb29nbGVncm91cHMuY29tPokBPgQTAQIA
KAUCWaB9igIbAwUJAsfqAAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ6RPNaSiE7O/6
Ygf/f+vwezzcZteE3DLv9Hg7DXfH1tnGoETWRG2nq7WAfSLJxvxsCbYrNgdfTryIdKyIFuZd
AyKhKvup4Tch8Rs7NKFs44xKihDQ6a9CmpamGRAKzBxyoSTgGo+Ek1WWjGMV7gptIqaChvsV
2DxBuzRwy8yftmFhDwHf2V/HjXwN7SsY3VSpj6ol0KX516CmWyt7vAXELa5ebZBqM+/+r41q
y83Jn39CqNYgqejAxJFZcXnCfY7KEzL/NgjmpUPH0kRkUWycT2LAdzH30ZE+1Jee85sBNnVI
+bg6e0KaoTymmuMFNEQj3uAFuoN2bY1qUUd6hSJJITDrqPkkMrg9+CoR2A==
=vvmA
-----END PGP PUBLIC KEY BLOCK-----

Expected outcome: katello-client-repos rpms should include correct gpg key out-of-the-box.

Other relevant data:
Until now I’ve been having to disable gpg-checking on katello server and in client join scripts.

Tony_Coffman · August 17, 2018, 1:48pm

Can somebody post the actual key ID 4d0d8597? I tried searching for it with no joy.

Jonathon_Turel · August 20, 2018, 1:06am

Can you tell me a little more about what you were attempting to do? Here’s some of my own console output from experimenting with this RPM:

[root@katello-client ~]# md5sum katello-client-repos-3.7.0-3.el7.noarch.rpm
3deb54f1997ad25c34e9925acb1ce230  katello-client-repos-3.7.0-3.el7.noarch.rpm


[root@katello-client ~]# yum install -y katello-client-repos-3.7.0-3.el7.noarch.rpm


[root@katello-client ~]# rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-katello

[root@katello-client ~]# rpm -K katello-ca-consumer-latest.noarch.rpm
katello-ca-consumer-latest.noarch.rpm: sha1 md5 OK


[root@katello-client ~]# rpm -qi gpg-pubkey-4d0d8597-5ae762bb
Name        : gpg-pubkey
Version     : 4d0d8597
Release     : 5ae762bb
Architecture: (none)
Install Date: Mon 20 Aug 2018 01:00:46 AM UTC
Group       : Public Keys
Size        : 0
License     : pubkey
Signature   : (none)
Source RPM  : (none)
Build Date  : Mon 30 Apr 2018 06:38:51 PM UTC
Build Host  : localhost
Relocations : (not relocatable)
Packager    : Katello 3.7 <foreman-dev@googlegroups.com>
Summary     : gpg(Katello 3.7 <foreman-dev@googlegroups.com>)
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.11.3 (NSS-3)

mQENBFrnYrsBCACdWX3snKNJzYlOWKWQb0kZIcAx3A5xlFzMQdbyoJxfxR31WehN
g8jq/nHYnN6wGRAi/9ssTnbgB8Kd3DExZ7P4ICywbdPBtf7w0IHzbbuQm14yCgw3
pQPi73QubJTvWbqaOxDUPN7QD3wGgmXgEtzud0TlZZalw5wO2Gl/A+SQDHGETdAV
6fVMn/SvwajPYQDd/EtUJdeiMt4LS7yTuvfBd0+Tmr+LMqJGrjrp5zuxKjeHoKLq
NHZWAo0JkcIgnVMa//kNQ1qLRKMh0uFDNqH1Tbmo3athPFzff4JVPN8rm1WQIl1v
VaZNwMzZXbTyvLUh2e49aTVgGLj1y7RMmLDZABEBAAG0KkthdGVsbG8gMy43IDxm
b3JlbWFuLWRldkBnb29nbGVncm91cHMuY29tPokBPgQTAQIAKAUCWudiuwIbAwUJ
AsfqAAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ0YSXgk0NhZfgzQf7BEv/
a0au0VkzSvwGJutrrA8OOpJb73IaJTgas3mrePOMzaioAhX6AOl5wVaqbNGI/Qg7
Mr8qyTDL83mJUgowI/VTBdqOfVupFZygbv52srvnbBARxJ6+6hbZxYF0JijNydj4
lwan9aX2cdXDaSypf3lW8HmLSpMzJ9b02u4XEtrKlrjTaRU48e50GzFQgsYWmNd0
KLEU/PhoZXkM+yw91fffltHrzswVAau78mph1jra+0by8ngqK1cr6wmpJS7nGiAx
dtjadU9mXsMIocKs/nLhu0iNYARn5h/tXc4SIjrCL31YVE36x52OamYNmpI4MztV
fO+ha9EqzO9IWtSVpQ==
=M0NT
-----END PGP PUBLIC KEY BLOCK-----

I was able to import the key and verify the signature of the rpm in question locally

Jonathon_Turel · August 20, 2018, 1:09am

The key fingerprint is:

pub  2048R/4D0D8597 2018-04-30 Katello 3.7 <foreman-dev@googlegroups.com>
      Key fingerprint = A35E 0E26 E964 DA68 6D1F  BB9D D184 9782 4D0D 8597