Katello client 3.0 gpg key?

Support
1

Hi all,

I've recently add the katello agent 3.0 repo to my katello 3.0rc4 instance,
synced it and attempting to update packages on some test hosts. The repo is
configured with a GPG key per the one downloaded via:
https://fedorapeople.org/groups/katello/releases/yum/3.0/client/el7/x86_64/katello-client-repos-latest.rpm

However, if I try and update a system (having added the new repo to a
content view and published a new version etc) I get

Downloading packages:
warning:
/var/cache/yum/x86_64/7/NIWA_Katello_Agent_Katello_Agent_3_0_x86_64/packages/python-pulp-agent-lib-2.8.0-1.el7.noarch.rpm:
Header V4 RSA/SHA1 Signature, key ID 2c7e5d9a: NOKEY
Retrieving key from
https://wellkatellodev.niwa.local/katello/api/repositories/247/gpg_key_content

The GPG keys listed for the "Katello Agent 3.0 x86_64" repository are
already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.

if I remove the GPG key in the Katello GUI from the product and the repo, a
'yum update' fails with this message

Public key for python-pulp-agent-lib-2.8.0-1.el7.noarch.rpm is not
installed

Even though the repo in Katello is configured with no GPG key, gpgcheck is
still set to 1 on the client (/etc/yum.repos.d/redhat.repo) -

[NIWA_Katello_Agent_Katello_Agent_3_0_x86_64]
metadata_expire = 1
sslclientcert = /etc/pki/entitlement/6166028268832642654.pem
baseurl =
https://wellkatellodev.niwa.local/pulp/repos/NIWA/Prod-Server/CentOS7_Server/custom/Katello_Agent/Katello_Agent_3_0_x86_64
sslverify = 1
name = Katello Agent 3.0 x86_64
sslclientkey = /etc/pki/entitlement/6166028268832642654-key.pem
enabled = 1
sslcacert = /etc/rhsm/ca/katello-server-ca.pem
gpgcheck = 1

I guess there are two things here:

  1. Why is Katello still setting gpgcheck = 1 if there is no gpgkey
    configured? I was able to find a bug report for RH Satellite 6
    (https://bugzilla.redhat.com/show_bug.cgi?id=803428) from 2012, but it is
    closed as fixed…
  2. The katello client packages don't seem to be signed? Certainly, the
    katello-client-repos-latest.rpm packages "katello-client.repo" has
    gpcheck=0 - I wonder why?

I have opened a bug report for 3.0 for the
gpgcheck Bug #15087: gpgcheck is set to 1 even if repo has no gpgkey configured - Katello - Foreman but just checking in
here as well if anyone has any ideas what's going on… :slight_smile:

2

We do not sign the packages until the GA release nor configure our
repositories to enforce GPG checking until then. I'll look into this to see
if it is specific to the client repositories – I have tested EL7 client
and everything came up fine for me during RC5 testing. Can you re-test and
let me know if you see it?

Eric

··· On Wed, May 18, 2016 at 5:43 PM, Dylan Baars wrote:

Hi all,

I’ve recently add the katello agent 3.0 repo to my katello 3.0rc4
instance, synced it and attempting to update packages on some test hosts.
The repo is configured with a GPG key per the one downloaded via:

https://fedorapeople.org/groups/katello/releases/yum/3.0/client/el7/x86_64/katello-client-repos-latest.rpm

However, if I try and update a system (having added the new repo to a
content view and published a new version etc) I get

Downloading packages:
warning:
/var/cache/yum/x86_64/7/NIWA_Katello_Agent_Katello_Agent_3_0_x86_64/packages/python-pulp-agent-lib-2.8.0-1.el7.noarch.rpm:
Header V4 RSA/SHA1 Signature, key ID 2c7e5d9a: NOKEY
Retrieving key from
https://wellkatellodev.niwa.local/katello/api/repositories/247/gpg_key_content
https://wellkatellodev.niwa.local/katello/api/repositories/247/gpg_key_content

The GPG keys listed for the “Katello Agent 3.0 x86_64” repository are
already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.

if I remove the GPG key in the Katello GUI from the product and the repo,
a ‘yum update’ fails with this message

Public key for python-pulp-agent-lib-2.8.0-1.el7.noarch.rpm is not
installed

Even though the repo in Katello is configured with no GPG key, gpgcheck is
still set to 1 on the client (/etc/yum.repos.d/redhat.repo) -

[NIWA_Katello_Agent_Katello_Agent_3_0_x86_64]
metadata_expire = 1
sslclientcert = /etc/pki/entitlement/6166028268832642654.pem
baseurl =
https://wellkatellodev.niwa.local/pulp/repos/NIWA/Prod-Server/CentOS7_Server/custom/Katello_Agent/Katello_Agent_3_0_x86_64
https://wellkatellodev.niwa.local/pulp/repos/NIWA/Prod-Server/CentOS7_Server/custom/Katello_Agent/Katello_Agent_3_0_x86_64
sslverify = 1
name = Katello Agent 3.0 x86_64
sslclientkey = /etc/pki/entitlement/6166028268832642654-key.pem
enabled = 1
sslcacert = /etc/rhsm/ca/katello-server-ca.pem
gpgcheck = 1

I guess there are two things here:

  1. Why is Katello still setting gpgcheck = 1 if there is no gpgkey
    configured? I was able to find a bug report for RH Satellite 6 (
    https://bugzilla.redhat.com/show_bug.cgi?id=803428) from 2012, but it is
    closed as fixed…
  2. The katello client packages don’t seem to be signed? Certainly, the
    katello-client-repos-latest.rpm packages “katello-client.repo” has
    gpcheck=0 - I wonder why?

I have opened a bug report for 3.0 for the gpgcheck
Bug #15087: gpgcheck is set to 1 even if repo has no gpgkey configured - Katello - Foreman but just checking in here as
well if anyone has any ideas what’s going on… :slight_smile:


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Eric D. Helms
Red Hat Engineering
Ph.D. Student - North Carolina State University

3

Has there been any update to this issue? We're running to the same problem.

Downloading Packages:
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA1 Signature, key ID bc62d13f:
NOKEY
Retrieving key from
https://cgsldlimgmt04.centric.com/katello/api/repositories/76/gpg_key_content

The GPG keys listed for the "Katello_6_Client" repository are already
installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.

··· On Wednesday, May 18, 2016 at 4:43:20 PM UTC-5, Dylan Baars wrote: > > Hi all, > > I've recently add the katello agent 3.0 repo to my katello 3.0rc4 > instance, synced it and attempting to update packages on some test hosts. > The repo is configured with a GPG key per the one downloaded via: > > https://fedorapeople.org/groups/katello/releases/yum/3.0/client/el7/x86_64/katello-client-repos-latest.rpm > > However, if I try and update a system (having added the new repo to a > content view and published a new version etc) I get > > *Downloading packages:* > *warning: > /var/cache/yum/x86_64/7/NIWA_Katello_Agent_Katello_Agent_3_0_x86_64/packages/python-pulp-agent-lib-2.8.0-1.el7.noarch.rpm: > Header V4 RSA/SHA1 Signature, key ID 2c7e5d9a: NOKEY* > *Retrieving key from > https://wellkatellodev.niwa.local/katello/api/repositories/247/gpg_key_content > * > > > *The GPG keys listed for the "Katello Agent 3.0 x86_64" repository are > already installed but they are not correct for this package.* > *Check that the correct key URLs are configured for this repository.* > > > * Failing package is: python-pulp-agent-lib-2.8.0-1.el7.noarch* > * GPG Keys are configured as: > https://wellkatellodev.niwa.local/katello/api/repositories/247/gpg_key_content > * > > > if I remove the GPG key in the Katello GUI from the product and the repo, > a 'yum update' fails with this message > > *Public key for python-pulp-agent-lib-2.8.0-1.el7.noarch.rpm is not > installed* > > Even though the repo in Katello is configured with no GPG key, gpgcheck is > still set to 1 on the client (/etc/yum.repos.d/redhat.repo) - > > *[NIWA_Katello_Agent_Katello_Agent_3_0_x86_64]* > *metadata_expire = 1* > *sslclientcert = /etc/pki/entitlement/6166028268832642654.pem* > *baseurl = > https://wellkatellodev.niwa.local/pulp/repos/NIWA/Prod-Server/CentOS7_Server/custom/Katello_Agent/Katello_Agent_3_0_x86_64 > * > *sslverify = 1* > *name = Katello Agent 3.0 x86_64* > *sslclientkey = /etc/pki/entitlement/6166028268832642654-key.pem* > *enabled = 1* > *sslcacert = /etc/rhsm/ca/katello-server-ca.pem* > *gpgcheck = 1* > > I guess there are two things here: > 1. Why is Katello still setting *gpgcheck = 1* if there is no gpgkey > configured? I was able to find a bug report for RH Satellite 6 ( > https://bugzilla.redhat.com/show_bug.cgi?id=803428) from 2012, but it is > closed as fixed....... > 2. The katello client packages don't seem to be signed? Certainly, the > katello-client-repos-latest.rpm packages "katello-client.repo" has > gpcheck=0 - I wonder why? > > I have opened a bug report for 3.0 for the gpgcheck > http://projects.theforeman.org/issues/15087 but just checking in here as > well if anyone has any ideas what's going on... :-) >
4

Same issue with Katello 3.4.3-1.
GPG key was initially set, but after unset, it does not update the
redhat.repo (gpgcheck=1 remains)

I had to *delete the redhat.repo *file and run subscription-manager
refresh to correct it.

5

>
> Hi Eric,
>

I upgrade to katello 3.0RC5 and I'm still seeing it - here's the repository
configuration

<https://lh3.googleusercontent.com/-mITSagAQH8s/V0I_VrZCNMI/AAAAAAAAGxg/K5oTTLgRECkUaYbnZw02rumlQrunM6nMACLcB/s1600/repo_no_gpg_configured.JPG>
but on a client, "yum clean all" "subscription-manager refresh" but the
repo still appears with gpgcheck = 1

[NIWA_Katello_Agent_Katello_Agent_3_0_x86_64]
metadata_expire = 1
sslclientcert = /etc/pki/entitlement/6009052158122219195.pem
baseurl =
https://wellkatellodev.niwa.local/pulp/repos/NIWA/Prod-Server/CentOS7_Server/custom/Katello_Agent/Katello_Agent_3_0_x86_64
sslverify = 1
name = Katello Agent 3.0 x86_64
sslclientkey = /etc/pki/entitlement/6009052158122219195-key.pem
enabled = 1
sslcacert = /etc/rhsm/ca/katello-server-ca.pem
gpgcheck = 1

and if I "yum update" -



gofer noarch
2.7.5-1.el7
NIWA_Katello_Agent_Katello_Agent_3_0_x86_64 84 k

pulp-rpm-handlers noarch
2.8.0-1.el7
NIWA_Katello_Agent_Katello_Agent_3_0_x86_64 71 k
pytalloc x86_64
2.1.5-1.el7_2
NIWA_CentOS7_updates_x86_64 14 k
python-gofer noarch
2.7.5-1.el7
NIWA_Katello_Agent_Katello_Agent_3_0_x86_64 131 k
python-gofer-proton noarch
2.7.5-1.el7
NIWA_Katello_Agent_Katello_Agent_3_0_x86_64 53 k
python-perf x86_64
3.10.0-327.18.2.el7.centos.plus
NIWA_CentOS7_centosplus_x86_64 2.4 M
python-pulp-agent-lib noarch
2.8.0-1.el7
NIWA_Katello_Agent_Katello_Agent_3_0_x86_64 90 k
python-pulp-common noarch
2.8.0-1.el7
NIWA_Katello_Agent_Katello_Agent_3_0_x86_64 122 k
python-pulp-rpm-common noarch
2.8.0-1.el7
NIWA_Katello_Agent_Katello_Agent_3_0_x86_64 64 k


(11/99): device-mapper-libs-1.02.107-5.el7_2.2.x86_64.rpm

          &gt; 305 kB  00:00:00

(12/99): glibc-2.17-106.el7_2.6.x86_64.rpm

           &gt; 3.6 MB  00:00:00

warning:
/var/cache/yum/x86_64/7/NIWA_Katello_Agent_Katello_Agent_3_0_x86_64/packages/gofer-2.7.5-1.el7.noarch.rpm:
Header V4 RSA/SHA1 Signature, key ID 2c7e5d9a: NOKEY7.6 MB --:–:-- ETA
Public key for gofer-2.7.5-1.el7.noarch.rpm is not installed
(13/99): gofer-2.7.5-1.el7.noarch.rpm

          &gt;  84 kB  00:00:00

(14/99): graphite2-1.3.6-1.el7_2.x86_64.rpm

          &gt; 112 kB  00:00:00



(98/99): tzdata-2016d-1.el7.noarch.rpm

           &gt; 439 kB  00:00:00

(99/99): util-linux-2.23.2-26.el7_2.2.x86_64.rpm

··· > 1.9 MB 00:00:00 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 
 9.5 MB/s |  97 MB  00:00:10

Public key for python-pulp-agent-lib-2.8.0-1.el7.noarch.rpm is not installed
[root@wellminiondev yum.repos.d]#

Interestingly a “yum update katello-agent” worked -

Resolving Dependencies
–> Running transaction check
—> Package katello-agent.noarch 0:2.2.1-1.el7 will be updated
—> Package katello-agent.noarch 0:2.4.0-3.el7 will be an update
–> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================================================================================
Package Arch
Version Repository
Size

Updating:
katello-agent noarch
2.4.0-3.el7
NIWA_Katello_Agent_Katello_Agent_3_0_x86_64 25 k

Transaction Summary

Upgrade 1 Package

Total download size: 25 k
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
katello-agent-2.4.0-3.el7.noarch.rpm

           >  25 kB  00:00:00

Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : katello-agent-2.4.0-3.el7.noarch

                             1/2

Note: Forwarding request to ‘systemctl enable goferd.service’.
Redirecting to /bin/systemctl restart goferd.service
Cleanup : katello-agent-2.2.1-1.el7.noarch

                             2/2

Active: active (running) since Mon 2016-05-23 11:20:02 NZST; 397ms ago
Uploading Package Profile
Verifying : katello-agent-2.4.0-3.el7.noarch

                             1/2

Verifying : katello-agent-2.2.1-1.el7.noarch

                             2/2

Updated:
katello-agent.noarch 0:2.4.0-3.el7

Complete!
[root@wellminiondev yum.repos.d]#

6

Still in 3.0.2RC1, this is preventing katello agent from being installed
properly

I modified the subscription_manager snippet to install yum-utils and use:

yum-config-manager --nogpgcheck &lt;REPONAME&gt;
··· On 05/23/2016 01:27 AM, Dylan Baars wrote: > > Hi Eric, > > > I upgrade to katello 3.0RC5 and I'm still seeing it - here's the > repository configuration > > > > but on a client, "yum clean all" "subscription-manager refresh" but > the repo still appears with gpgcheck = 1 > > [NIWA_Katello_Agent_Katello_Agent_3_0_x86_64] > metadata_expire = 1 > sslclientcert = /etc/pki/entitlement/6009052158122219195.pem > baseurl = > https://wellkatellodev.niwa.local/pulp/repos/NIWA/Prod-Server/CentOS7_Server/custom/Katello_Agent/Katello_Agent_3_0_x86_64 > sslverify = 1 > name = Katello Agent 3.0 x86_64 > sslclientkey = /etc/pki/entitlement/6009052158122219195-key.pem > enabled = 1 > sslcacert = /etc/rhsm/ca/katello-server-ca.pem > gpgcheck = 1 > > > and if I "yum update" - > > > ... > ... > gofer noarch > 2.7.5-1.el7 NIWA_Katello_Agent_Katello_Agent_3_0_x86_64 84 k > ... > pulp-rpm-handlers noarch > 2.8.0-1.el7 NIWA_Katello_Agent_Katello_Agent_3_0_x86_64 71 k > pytalloc x86_64 > 2.1.5-1.el7_2 NIWA_CentOS7_updates_x86_64 14 k > python-gofer noarch > 2.7.5-1.el7 NIWA_Katello_Agent_Katello_Agent_3_0_x86_64 131 k > python-gofer-proton noarch > 2.7.5-1.el7 NIWA_Katello_Agent_Katello_Agent_3_0_x86_64 53 k > python-perf x86_64 > 3.10.0-327.18.2.el7.centos.plus NIWA_CentOS7_centosplus_x86_64 2.4 M > python-pulp-agent-lib noarch > 2.8.0-1.el7 NIWA_Katello_Agent_Katello_Agent_3_0_x86_64 90 k > python-pulp-common noarch > 2.8.0-1.el7 NIWA_Katello_Agent_Katello_Agent_3_0_x86_64 122 k > python-pulp-rpm-common noarch > 2.8.0-1.el7 NIWA_Katello_Agent_Katello_Agent_3_0_x86_64 64 k > ... > ... > (11/99): device-mapper-libs-1.02.107-5.el7_2.2.x86_64.rpm > > 305 kB 00:00:00 > (12/99): glibc-2.17-106.el7_2.6.x86_64.rpm > > 3.6 MB 00:00:00 > warning: > /var/cache/yum/x86_64/7/NIWA_Katello_Agent_Katello_Agent_3_0_x86_64/packages/gofer-2.7.5-1.el7.noarch.rpm: > Header V4 RSA/SHA1 Signature, key ID 2c7e5d9a: NOKEY7.6 MB --:--:-- ETA > Public key for gofer-2.7.5-1.el7.noarch.rpm is not installed > (13/99): gofer-2.7.5-1.el7.noarch.rpm > > 84 kB 00:00:00 > (14/99): graphite2-1.3.6-1.el7_2.x86_64.rpm > > 112 kB 00:00:00 > > ... > ... > (98/99): tzdata-2016d-1.el7.noarch.rpm > > 439 kB 00:00:00 > (99/99): util-linux-2.23.2-26.el7_2.2.x86_64.rpm > > 1.9 MB 00:00:00 > --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > Total 9.5 MB/s | 97 MB 00:00:10 > > > Public key for python-pulp-agent-lib-2.8.0-1.el7.noarch.rpm is not > installed > [root@wellminiondev yum.repos.d]# > > Interestingly a "yum update katello-agent" worked - > > Resolving Dependencies > --> Running transaction check > ---> Package katello-agent.noarch 0:2.2.1-1.el7 will be updated > ---> Package katello-agent.noarch 0:2.4.0-3.el7 will be an update > --> Finished Dependency Resolution > > Dependencies Resolved > > ============================================================================================================================================================================================= > Package Arch Version > Repository Size > ============================================================================================================================================================================================= > Updating: > katello-agent noarch > 2.4.0-3.el7 NIWA_Katello_Agent_Katello_Agent_3_0_x86_64 25 k > > Transaction Summary > ============================================================================================================================================================================================= > Upgrade 1 Package > > Total download size: 25 k > Is this ok [y/d/N]: y > Downloading packages: > Delta RPMs disabled because /usr/bin/applydeltarpm not installed. > katello-agent-2.4.0-3.el7.noarch.rpm > > 25 kB 00:00:00 > Running transaction check > Running transaction test > Transaction test succeeded > Running transaction > Updating : katello-agent-2.4.0-3.el7.noarch 1/2 > Note: Forwarding request to 'systemctl enable goferd.service'. > Redirecting to /bin/systemctl restart goferd.service > Cleanup : katello-agent-2.2.1-1.el7.noarch 2/2 > Active: active (running) since Mon 2016-05-23 11:20:02 NZST; 397ms ago > Uploading Package Profile > Verifying : katello-agent-2.4.0-3.el7.noarch 1/2 > Verifying : katello-agent-2.2.1-1.el7.noarch 2/2 > > Updated: > katello-agent.noarch 0:2.4.0-3.el7 > > Complete! > [root@wellminiondev yum.repos.d]# > > > -- > You received this message because you are subscribed to the Google > Groups "Foreman users" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to foreman-users+unsubscribe@googlegroups.com > . > To post to this group, send email to foreman-users@googlegroups.com > . > Visit this group at https://groups.google.com/group/foreman-users. > For more options, visit https://groups.google.com/d/optout.

Met vriendelijke groet, With kind regards,

Jorick Astrego

Netbulae Virtualization Experts

Tel: 053 20 30 270 	info@netbulae.eu 	Staalsteden 4-3A 	KvK 08198180
Fax: 053 20 30 271 	www.netbulae.eu 	7547 TA Enschede 	BTW NL821234584B01