Katello Client GPG key

KennyMacCormik · December 12, 2018, 2:12pm

Problem:

[root@localhost yum.repos.d]# yum install katello-agent -y
Loaded plugins: fastestmirror, product-id, search-disabled-repos, subscription-manager
Loading mirror speeds from cached hostfile
<ORG>_CentOS-7_CentOS7                                                                                            | 2.5 kB  00:00:00
<ORG>_CentOS-7_CentOS7-EPEL                                                                                       | 2.5 kB  00:00:00
<ORG>_CentOS-7_CentOS7-Extras                                                                                     | 2.5 kB  00:00:00
<ORG>_katello-client_foreman-client                                                                               | 2.5 kB  00:00:00
Resolving Dependencies
--> Running transaction check
---> Package katello-agent.noarch 0:3.3.5-4.el7 will be installed
--> Processing Dependency: katello-host-tools = 3.3.5-4.el7 for package: katello-agent-3.3.5-4.el7.noarch
--> Processing Dependency: python-gofer-proton >= 2.5 for package: katello-agent-3.3.5-4.el7.noarch
--> Processing Dependency: gofer >= 2.12.1 for package: katello-agent-3.3.5-4.el7.noarch
--> Running transaction check
---> Package gofer.noarch 0:2.12.1-1.el7 will be installed
--> Processing Dependency: python-gofer = 2.12.1 for package: gofer-2.12.1-1.el7.noarch
---> Package katello-host-tools.noarch 0:3.3.5-4.el7 will be installed
--> Processing Dependency: katello-host-tools-fact-plugin for package: katello-host-tools-3.3.5-4.el7.noarch
---> Package python-gofer-proton.noarch 0:2.12.1-1.el7 will be installed
--> Processing Dependency: python-qpid-proton >= 0.9-5 for package: python-gofer-proton-2.12.1-1.el7.noarch
--> Running transaction check
---> Package katello-host-tools-fact-plugin.noarch 0:3.3.5-4.el7 will be installed
---> Package python-gofer.noarch 0:2.12.1-1.el7 will be installed
---> Package python-qpid-proton.x86_64 0:0.14.0-2.el7 will be installed
--> Processing Dependency: qpid-proton-c(x86-64) = 0.14.0-2.el7 for package: python-qpid-proton-0.14.0-2.el7.x86_64
--> Processing Dependency: libqpid-proton.so.8()(64bit) for package: python-qpid-proton-0.14.0-2.el7.x86_64
--> Running transaction check
---> Package qpid-proton-c.x86_64 0:0.14.0-2.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================================================================
 Package                                  Arch             Version                   Repository                                      Size
==========================================================================================================================================
Installing:
 katello-agent                            noarch           3.3.5-4.el7               <ORG>_katello-client_foreman-client            38 k
Installing for dependencies:
 gofer                                    noarch           2.12.1-1.el7              <ORG>_katello-client_foreman-client            51 k
 katello-host-tools                       noarch           3.3.5-4.el7               <ORG>_katello-client_foreman-client            30 k
 katello-host-tools-fact-plugin           noarch           3.3.5-4.el7               <ORG>_katello-client_foreman-client            13 k
 python-gofer                             noarch           2.12.1-1.el7              <ORG>_katello-client_foreman-client           193 k
 python-gofer-proton                      noarch           2.12.1-1.el7              <ORG>_katello-client_foreman-client            57 k
 python-qpid-proton                       x86_64           0.14.0-2.el7              <ORG>_CentOS-7_CentOS7-Extras                 212 k
 qpid-proton-c                            x86_64           0.14.0-2.el7              <ORG>_CentOS-7_CentOS7-Extras                 130 k

Transaction Summary
==========================================================================================================================================
Install  1 Package (+7 Dependent packages)

Total size: 723 k
Installed size: 2.7 M
Downloading packages:
warning: /var/cache/yum/x86_64/7/<ORG>_katello-client_foreman-client/packages/gofer-2.12.1-1.el7.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID d0b17f13: NOKEY
Retrieving key from https://<my host>/katello/api/v2/repositories/14/gpg_key_content
Importing GPG key 0x565EA533:
 Userid     : "Foreman Automatic Signing Key (1.20) <packages@theforeman.org>"
 Fingerprint: 5c75 b050 dd06 92eb 042b 5c82 2ec9 9767 565e a533
 From       : https://<my host>/katello/api/v2/repositories/14/gpg_key_content


Public key for gofer-2.12.1-1.el7.noarch.rpm is not installed


 Failing package is: gofer-2.12.1-1.el7.noarch
 GPG Keys are configured as: https://<my host>/katello/api/v2/repositories/14/gpg_key_content

Expected outcome:

No GPG alert

Foreman and Proxy versions:

foreman-release-1.20.0-2.el7.noarch
foreman-proxy-1.20.0-1.el7.noarch

Foreman and Proxy plugin versions:

katello-3.9.1-1.el7.noarch

Other relevant data:
[e.g. logs from Foreman and/or the Proxy, modified templates, commands issued, etc]
(for logs, surround with three back-ticks to get proper formatting, e.g.)


logs

akofink · December 12, 2018, 3:32pm

@Zhunting Katello client repo should be signed with Foreman 1.20’s key, right?

ekohl · December 12, 2018, 3:50pm

We haven’t signed the client repos. This has been an explicit decision to allow us to iterate faster and treat them similar to plugins.

I’d be open to changing this though. cc @ehelms

W73 · December 13, 2018, 12:01pm

When we upgrade katello, we extract GPG from https://fedorapeople.org/groups/katello/releases/yum/latest/katello/el7/x86_64/katello-repos-latest.rpm and update it in Foreman/Content/Content Credentials

KennyMacCormik · December 19, 2018, 10:58am

Is there any way to disable GPG check for this repo on Katello side, so newly enrolled hosts wont throw this error in me all over again?

W73 · December 20, 2018, 10:06am

yum install --nogpgcheck

John_Mitsch · January 2, 2019, 9:33pm

Did the --nogpgcheck flag work for you? If so, we can mark it as a solution to help others

KennyMacCormik · January 4, 2019, 8:28am

I’ve marked the reply as solution, but I hope gpg signature will be fixed in upcoming releases.

Ondrej_Levy · March 25, 2019, 3:59pm

@ekohl , @ehelms Foreman 1.21 is out and client repo is still without gpg sign. Any progress in this problem? I ask because in combination with this bug (Bug #26443: changing gpg key on a repository has no effect - Katello - Foreman) is missing gpg signing really unpleasant problem.

ekohl · March 25, 2019, 4:49pm

Until now we weren’t planning on signing, but given how little we actually release updates to this tooling I’d be willing to start signing this repo.

Thoughts @packaging (in particular @ehelms and @evgeni)?

evgeni · March 25, 2019, 6:20pm

to signing all the things!

Ondrej_Levy · March 26, 2019, 9:15am

@packaging In general, all repo should be signed. And especially the repo with client packages that must be installed on all servers. Because we need to be extra sure about their security and authenticity.

Anthony_Chevalet · June 11, 2019, 12:32pm

Again, same issue with katello 3.11…
Package katello-host-tools-3.4.2-2.el7.noarch.rpm is not signed
Please think about security… package signing should not be an issue with an automatic build process…

asheynkmansafeguard · June 14, 2019, 2:29pm

I agree. Please sign client packages. This is VERY insecure.

Netbulae1 · June 19, 2019, 12:20pm

+1 and it makes Katello defeat it’s own purpose. When using Katello client to update a Katello client, you have to manually login to update with --nogpgcheck

There must be someone that can make a tool to automate that manual yum updating on every machine

Tony_Coffman · June 19, 2019, 3:06pm

You can run the yum --nogpgcheck command via foreman remote execution if you have it deployed.

I agree - this client RPM GPG signing problem has been an issue since Katello 3.2 and it’s very discouraging to see these types of issues reported again and again for every new release.

ehelms · June 20, 2019, 11:51am

When we originally created the Foreman client repository we chose to treat
it like the plugins repository and not sign packages. Thanks to your
feedback and some soak time, we will begin to start signing all client
packages with the corresponding Foreman release key going forward.

Tony_Coffman · June 20, 2019, 12:18pm

Thank you. This should knock out an entire class of issues and support threads.

ekohl · June 27, 2019, 10:57am

Feature #26278: GPG sign Foreman client RPM repository - Packaging - Foreman will track the progress. Technically the repositories have been GPG signed. Currently I’m working on updating the foreman-client-release RPMs to set gpgcheck=1 and distribute the GPG key, but as a user you should already be able to check the signatures. It’s the same key as the main foreman repository. I would appreciate any testing before I push it to all users.