Hi all,
I've recently add the katello agent 3.0 repo to my katello 3.0rc4 instance,
synced it and attempting to update packages on some test hosts. The repo is
configured with a GPG key per the one downloaded via:
https://fedorapeople.org/groups/katello/releases/yum/3.0/client/el7/x86_64/katello-client-repos-latest.rpm
However, if I try and update a system (having added the new repo to a
content view and published a new version etc) I get
Downloading packages:
warning:
/var/cache/yum/x86_64/7/NIWA_Katello_Agent_Katello_Agent_3_0_x86_64/packages/python-pulp-agent-lib-2.8.0-1.el7.noarch.rpm:
Header V4 RSA/SHA1 Signature, key ID 2c7e5d9a: NOKEY
Retrieving key from
https://wellkatellodev.niwa.local/katello/api/repositories/247/gpg_key_content
The GPG keys listed for the "Katello Agent 3.0 x86_64" repository are
already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.
- Failing package is: python-pulp-agent-lib-2.8.0-1.el7.noarch*
- GPG Keys are configured as:
https://wellkatellodev.niwa.local/katello/api/repositories/247/gpg_key_content*
if I remove the GPG key in the Katello GUI from the product and the repo, a
'yum update' fails with this message
Public key for python-pulp-agent-lib-2.8.0-1.el7.noarch.rpm is not
installed
Even though the repo in Katello is configured with no GPG key, gpgcheck is
still set to 1 on the client (/etc/yum.repos.d/redhat.repo) -
[NIWA_Katello_Agent_Katello_Agent_3_0_x86_64]
metadata_expire = 1
sslclientcert = /etc/pki/entitlement/6166028268832642654.pem
baseurl =
https://wellkatellodev.niwa.local/pulp/repos/NIWA/Prod-Server/CentOS7_Server/custom/Katello_Agent/Katello_Agent_3_0_x86_64
sslverify = 1
name = Katello Agent 3.0 x86_64
sslclientkey = /etc/pki/entitlement/6166028268832642654-key.pem
enabled = 1
sslcacert = /etc/rhsm/ca/katello-server-ca.pem
gpgcheck = 1
I guess there are two things here:
- Why is Katello still setting gpgcheck = 1 if there is no gpgkey
configured? I was able to find a bug report for RH Satellite 6
(https://bugzilla.redhat.com/show_bug.cgi?id=803428) from 2012, but it is
closed as fixed… - The katello client packages don't seem to be signed? Certainly, the
katello-client-repos-latest.rpm packages "katello-client.repo" has
gpcheck=0 - I wonder why?
I have opened a bug report for 3.0 for the
gpgcheck Bug #15087: gpgcheck is set to 1 even if repo has no gpgkey configured - Katello - Foreman but just checking in
here as well if anyone has any ideas what's going on…