Katello Client GPG key

Problem:

[root@localhost yum.repos.d]# yum install katello-agent -y
Loaded plugins: fastestmirror, product-id, search-disabled-repos, subscription-manager
Loading mirror speeds from cached hostfile
<ORG>_CentOS-7_CentOS7                                                                                            | 2.5 kB  00:00:00
<ORG>_CentOS-7_CentOS7-EPEL                                                                                       | 2.5 kB  00:00:00
<ORG>_CentOS-7_CentOS7-Extras                                                                                     | 2.5 kB  00:00:00
<ORG>_katello-client_foreman-client                                                                               | 2.5 kB  00:00:00
Resolving Dependencies
--> Running transaction check
---> Package katello-agent.noarch 0:3.3.5-4.el7 will be installed
--> Processing Dependency: katello-host-tools = 3.3.5-4.el7 for package: katello-agent-3.3.5-4.el7.noarch
--> Processing Dependency: python-gofer-proton >= 2.5 for package: katello-agent-3.3.5-4.el7.noarch
--> Processing Dependency: gofer >= 2.12.1 for package: katello-agent-3.3.5-4.el7.noarch
--> Running transaction check
---> Package gofer.noarch 0:2.12.1-1.el7 will be installed
--> Processing Dependency: python-gofer = 2.12.1 for package: gofer-2.12.1-1.el7.noarch
---> Package katello-host-tools.noarch 0:3.3.5-4.el7 will be installed
--> Processing Dependency: katello-host-tools-fact-plugin for package: katello-host-tools-3.3.5-4.el7.noarch
---> Package python-gofer-proton.noarch 0:2.12.1-1.el7 will be installed
--> Processing Dependency: python-qpid-proton >= 0.9-5 for package: python-gofer-proton-2.12.1-1.el7.noarch
--> Running transaction check
---> Package katello-host-tools-fact-plugin.noarch 0:3.3.5-4.el7 will be installed
---> Package python-gofer.noarch 0:2.12.1-1.el7 will be installed
---> Package python-qpid-proton.x86_64 0:0.14.0-2.el7 will be installed
--> Processing Dependency: qpid-proton-c(x86-64) = 0.14.0-2.el7 for package: python-qpid-proton-0.14.0-2.el7.x86_64
--> Processing Dependency: libqpid-proton.so.8()(64bit) for package: python-qpid-proton-0.14.0-2.el7.x86_64
--> Running transaction check
---> Package qpid-proton-c.x86_64 0:0.14.0-2.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================================================================
 Package                                  Arch             Version                   Repository                                      Size
==========================================================================================================================================
Installing:
 katello-agent                            noarch           3.3.5-4.el7               <ORG>_katello-client_foreman-client            38 k
Installing for dependencies:
 gofer                                    noarch           2.12.1-1.el7              <ORG>_katello-client_foreman-client            51 k
 katello-host-tools                       noarch           3.3.5-4.el7               <ORG>_katello-client_foreman-client            30 k
 katello-host-tools-fact-plugin           noarch           3.3.5-4.el7               <ORG>_katello-client_foreman-client            13 k
 python-gofer                             noarch           2.12.1-1.el7              <ORG>_katello-client_foreman-client           193 k
 python-gofer-proton                      noarch           2.12.1-1.el7              <ORG>_katello-client_foreman-client            57 k
 python-qpid-proton                       x86_64           0.14.0-2.el7              <ORG>_CentOS-7_CentOS7-Extras                 212 k
 qpid-proton-c                            x86_64           0.14.0-2.el7              <ORG>_CentOS-7_CentOS7-Extras                 130 k

Transaction Summary
==========================================================================================================================================
Install  1 Package (+7 Dependent packages)

Total size: 723 k
Installed size: 2.7 M
Downloading packages:
warning: /var/cache/yum/x86_64/7/<ORG>_katello-client_foreman-client/packages/gofer-2.12.1-1.el7.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID d0b17f13: NOKEY
Retrieving key from https://<my host>/katello/api/v2/repositories/14/gpg_key_content
Importing GPG key 0x565EA533:
 Userid     : "Foreman Automatic Signing Key (1.20) <packages@theforeman.org>"
 Fingerprint: 5c75 b050 dd06 92eb 042b 5c82 2ec9 9767 565e a533
 From       : https://<my host>/katello/api/v2/repositories/14/gpg_key_content


Public key for gofer-2.12.1-1.el7.noarch.rpm is not installed


 Failing package is: gofer-2.12.1-1.el7.noarch
 GPG Keys are configured as: https://<my host>/katello/api/v2/repositories/14/gpg_key_content

Expected outcome:

No GPG alert

Foreman and Proxy versions:

foreman-release-1.20.0-2.el7.noarch
foreman-proxy-1.20.0-1.el7.noarch

Foreman and Proxy plugin versions:

katello-3.9.1-1.el7.noarch

Other relevant data:
[e.g. logs from Foreman and/or the Proxy, modified templates, commands issued, etc]
(for logs, surround with three back-ticks to get proper formatting, e.g.)


logs

@Zhunting Katello client repo should be signed with Foreman 1.20’s key, right?

We haven’t signed the client repos. This has been an explicit decision to allow us to iterate faster and treat them similar to plugins.

I’d be open to changing this though. cc @ehelms

1 Like

When we upgrade katello, we extract GPG from https://fedorapeople.org/groups/katello/releases/yum/latest/katello/el7/x86_64/katello-repos-latest.rpm and update it in Foreman/Content/Content Credentials

Is there any way to disable GPG check for this repo on Katello side, so newly enrolled hosts wont throw this error in me all over again?

yum install --nogpgcheck

Did the --nogpgcheck flag work for you? If so, we can mark it as a solution to help others

I’ve marked the reply as solution, but I hope gpg signature will be fixed in upcoming releases.

@ekohl , @ehelms Foreman 1.21 is out and client repo is still without gpg sign. Any progress in this problem? I ask because in combination with this bug (Bug #26443: changing gpg key on a repository has no effect - Katello - Foreman) is missing gpg signing really unpleasant problem.

Until now we weren’t planning on signing, but given how little we actually release updates to this tooling I’d be willing to start signing this repo.

Thoughts @packaging (in particular @ehelms and @evgeni)?

:+1: to signing all the things!

2 Likes

@packaging In general, all repo should be signed. And especially the repo with client packages that must be installed on all servers. Because we need to be extra sure about their security and authenticity.

2 Likes

Again, same issue with katello 3.11…
Package katello-host-tools-3.4.2-2.el7.noarch.rpm is not signed
Please think about security… package signing should not be an issue with an automatic build process…

2 Likes

I agree. Please sign client packages. This is VERY insecure.

+1 and it makes Katello defeat it’s own purpose. When using Katello client to update a Katello client, you have to manually login to update with --nogpgcheck

There must be someone that can make a tool to automate that manual yum updating on every machine :stuck_out_tongue:

You can run the yum --nogpgcheck command via foreman remote execution if you have it deployed.

I agree - this client RPM GPG signing problem has been an issue since Katello 3.2 and it’s very discouraging to see these types of issues reported again and again for every new release.

When we originally created the Foreman client repository we chose to treat
it like the plugins repository and not sign packages. Thanks to your
feedback and some soak time, we will begin to start signing all client
packages with the corresponding Foreman release key going forward.

3 Likes

Thank you. This should knock out an entire class of issues and support threads.

Feature #26278: GPG sign Foreman client RPM repository - Packaging - Foreman will track the progress. Technically the repositories have been GPG signed. Currently I’m working on updating the foreman-client-release RPMs to set gpgcheck=1 and distribute the GPG key, but as a user you should already be able to check the signatures. It’s the same key as the main foreman repository. I would appreciate any testing before I push it to all users.