Problem: katello-client-repos-3.7.0-3.el7.noarch.rpm. While attempting to extract rpm-gpg key for katello 3.7 from aforementioned rpm discovered that included gpg-key doesn’t match package signing.
steps:
rpm2cpio katello-client-repos-3.7.0-3.el7.noarch.rpm | cpio -ivd
cd to etc/pki/rpm-gpg directory in extracted package and get following key, that is 945 bytes in size.
Output of gpg key included in package:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFrnYrsBCACdWX3snKNJzYlOWKWQb0kZIcAx3A5xlFzMQdbyoJxfxR31WehN
g8jq/nHYnN6wGRAi/9ssTnbgB8Kd3DExZ7P4ICywbdPBtf7w0IHzbbuQm14yCgw3
pQPi73QubJTvWbqaOxDUPN7QD3wGgmXgEtzud0TlZZalw5wO2Gl/A+SQDHGETdAV
6fVMn/SvwajPYQDd/EtUJdeiMt4LS7yTuvfBd0+Tmr+LMqJGrjrp5zuxKjeHoKLq
NHZWAo0JkcIgnVMa//kNQ1qLRKMh0uFDNqH1Tbmo3athPFzff4JVPN8rm1WQIl1v
VaZNwMzZXbTyvLUh2e49aTVgGLj1y7RMmLDZABEBAAG0KkthdGVsbG8gMy43IDxm
b3JlbWFuLWRldkBnb29nbGVncm91cHMuY29tPokBPgQTAQIAKAUCWudiuwIbAwUJ
AsfqAAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ0YSXgk0NhZfgzQf7BEv/
a0au0VkzSvwGJutrrA8OOpJb73IaJTgas3mrePOMzaioAhX6AOl5wVaqbNGI/Qg7
Mr8qyTDL83mJUgowI/VTBdqOfVupFZygbv52srvnbBARxJ6+6hbZxYF0JijNydj4
lwan9aX2cdXDaSypf3lW8HmLSpMzJ9b02u4XEtrKlrjTaRU48e50GzFQgsYWmNd0
KLEU/PhoZXkM+yw91fffltHrzswVAau78mph1jra+0by8ngqK1cr6wmpJS7nGiAx
dtjadU9mXsMIocKs/nLhu0iNYARn5h/tXc4SIjrCL31YVE36x52OamYNmpI4MztV
fO+ha9EqzO9IWtSVpQ==
=M0NT
-----END PGP PUBLIC KEY BLOCK-----
This gpg-key wouldn’t even import.
Went to https://pgp.mit.edu and found https://pgp.mit.edu/pks/lookup?op=get&search=0xE913CD692884ECEF copied as RPM-GPG-KEY-katello
Was then able to import key: rpm --import RPM-GPG-KEY-katello
and verify that rpm matched the key from mit. New file is 993 bytes in size with output:
[root@ap00 rpm-gpg]# cat RPM-GPG-KEY-katello
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.6
Comment: Hostname: pgp.mit.edu
mQENBFmgfYoBCAC9EEEMUfybb3eOF+SxSEcEIY3ZehL/YweJKBOgTHuC0NNAbg8q5WR8ycA7
XwQPxi3pizWUjUeAYoUxk5bKaTrh5tbBNLsb/0kxgzXwMQ4OEmEWjdPtDLAyq5dmwxhvsQF+
xOiN0RHrnE/ad7BKqJ5tI4rdrrQI3G1oAF4qWwFn6acrsiHzYEuhNFlfCld03NNEqMc0Lvgs
O5+1Oqm9v0hqh2CX3ri4dlb5FwPKKRlvRiYHGQ7Oyhr6wKXHAMfP50n9NRevgAr7uzy1R87T
tdGL9jCPxnvMABxkSiDAGXonvp0ZoI7umrhXBd2RfgZ8cRQ/UtffGKxY1r4ZJyrhOVRdABEB
AAG0KkthdGVsbG8gMy41IDxmb3JlbWFuLWRldkBnb29nbGVncm91cHMuY29tPokBPgQTAQIA
KAUCWaB9igIbAwUJAsfqAAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ6RPNaSiE7O/6
Ygf/f+vwezzcZteE3DLv9Hg7DXfH1tnGoETWRG2nq7WAfSLJxvxsCbYrNgdfTryIdKyIFuZd
AyKhKvup4Tch8Rs7NKFs44xKihDQ6a9CmpamGRAKzBxyoSTgGo+Ek1WWjGMV7gptIqaChvsV
2DxBuzRwy8yftmFhDwHf2V/HjXwN7SsY3VSpj6ol0KX516CmWyt7vAXELa5ebZBqM+/+r41q
y83Jn39CqNYgqejAxJFZcXnCfY7KEzL/NgjmpUPH0kRkUWycT2LAdzH30ZE+1Jee85sBNnVI
+bg6e0KaoTymmuMFNEQj3uAFuoN2bY1qUUd6hSJJITDrqPkkMrg9+CoR2A==
=vvmA
-----END PGP PUBLIC KEY BLOCK-----
Expected outcome: katello-client-repos rpms should include correct gpg key out-of-the-box.
Other relevant data:
Until now I’ve been having to disable gpg-checking on katello server and in client join scripts.