RHEL 5.8 gpg key is not getting impoted via yum when system is registered to a custom Satellite channel
Issue
We found that gpg key is not getting imported via yum.repo.d/file . Below are the entires ...
[bestbuy-base]
name=Red Hat Enterprise Linux $releasever - $basearch - basic
baseurl=http://xxx.na.xxx.com/Server
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
[updates]
name=Red Hat Enterprise Linux $releasever - $basearch - Updates
baseurl=http://xxx.na.xxx.com/$releasever/updates/$basearch/
gpgcheck=1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
However we are manualy able to import with rpm --import /file name . But our standard configuration is on yum.repo.d/file
Resolution
Doing a fresh install from dvd kickstart tree does not import the key from redhat-release package into the rpm database.
RECOMMENDED
- Confirm that your custom channel that was created has it's GPG key URL: field pointing to the correct key
GPG key URL: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
The above is required because you are using the rhnplugin versus straight yum.
or
- Add a %post that does the following
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Root Cause
Missing GPG key URL: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release in customer channel configuration
Diagnostic Steps
Doing a fresh install from dvd does not import the key from redhat-release into the rpm database.
I just validated this...
[root@localhost ~]# rpm -qa gpg-pubkey
[root@localhost ~]#
I typically recommend against doing dvd installs anyway, it's bad practice, you should be doing kickstarts.
The next question is how did you register this box and what did you register it to.
From the description it looks like it was registered to an internal satellite server.
http://sat.na.xxx.com/
Assuming that is the case then you should not be looking in /etc/yum.repos.d for configuration.
[root@localhost pluginconf.d]# rhnreg_ks --username=satadmin --password=xyz123 --serverUrl=http://192.168.1.6/XMLRPC
[root@localhost pluginconf.d]# pwd
/etc/yum/pluginconf.d
[root@localhost pluginconf.d]# cat rhnplugin.conf
[main]
enabled = 1
gpgcheck = 1
# You can specify options per channel, e.g.:
#
#[rhel-i386-server-5]
#enabled = 1
#
#[some-unsigned-custom-channel]
#gpgcheck = 0
I didn't catch this before, but this explains why your setting of the gpg key in the /etc/yum.repos.d/somefile.repo doesn't matter.
Because when you hook to a satellite server you use what is within /etc/yum/pluginconf.d/ instead
After registering with my test satellite server I was able to successfully yum update without having to run the rpm --import command.
[root@localhost pluginconf.d]#
...
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 2.7 MB/s | 341 MB 02:07
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 37017186
rhel-x86_64-server-5/gpgkey | 1.1 kB 00:00
Importing GPG key 0x37017186 "Red Hat, Inc. (release key) <security@redhat.com>" from /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : libgcc 1/383
Updating : selinux-policy
...
Complete!
[root@localhost pluginconf.d]#
So I'm not sure why you are running into problems with this. This part of the reason that I was asking for how you registered this box to your satellite server. Also please pull an sosreport for this system and attach to this case.
If you were doing kickstarts from satellite depending upon the version you might have to update satellite to get the rpm key properly imported.
https://access.redhat.com/knowledge/solutions/37240
Or just add it to your rpm --import to your %post
In short it sounds as though there is an issue or misunderstanding on your side.
Its basicaly a kickstart installation , where the base source is DVD ISO image and later it will upadate from RHN . This is the way the process is defined here .
And yes we are registering to RHN with "usr/sbin/rhnreg_ks --force --activationkey=$KEY serverURL=https://$Sat_Server/XMLRPC "
[root@dld04test adm]# rpm -qa gpg-pubkey
gpg-pubkey-04bbaa7b-4c881cbf
gpg-pubkey-66fd4949-4803fe57
Total download size: 11 k
Is this ok [y/N]: y
Downloading Packages:
vlock-1.3-23.x86_64.rpm | 11 kB 00:00
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 37017186
Public key for vlock-1.3-23.x86_64.rpm is not installed
[root@dld04test pluginconf.d]# cat rhnplugin.conf
[main]
enabled = 1
gpgcheck = 1
[updates]
name=Red Hat Enterprise Linux $releasever - $basearch - Updates
baseurl=http://xxx.na.xxx.com/$releasever/updates/$basearch/
gpgcheck=1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
# You can specify options per channel, e.g.:
#
#[rhel-i386-server-5]
#enabled = 1
#
#[some-unsigned-custom-channel]
#gpgcheck = 0
Can you provide your kickstart file then?
I'm almost positive that the /etc/yum.repos.d/*.conf files and the /etc/yum/pluginconf.d/rhnplugin.conf can not be treated the same.
So adding the following:
[updates]
name=Red Hat Enterprise Linux $releasever - $basearch - Updates
baseurl=http://xxx.na.xxxx.com/$releasever/updates/$basearch/
gpgcheck=1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Does not apply.
rhnplugin uses the url from /etc/sysconfig/rhn/up2date to know what it is talking to.
So, I'm unsure of what is going on with your system. Like I said I did a dvd install (not a kickstart), no gpgkey was added, I registered to satellite, still no gpgkey added, then I did a yum update, it asked me to accept the key and done.
If you looked at this kcs it mentioned adding in rpm --import
https://access.redhat.com/knowledge/solutions/37240
But that is for Satellite kickstart installations.
So my suggested workaround was to add a %post to your kickstart, I would make it the first one.
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
I'd like to see the kickstart file and have you pull an sosreport from the system that is not updating after kickstart.
Also please run the following the system that is not working and let me see the yumupdate.log file.
yum update -y | tee -a yumupdate.log
Btw, the keys that you have already.
[root@dld04test adm]# rpm -qa gpg-pubkey
gpg-pubkey-04bbaa7b-4c881cbf
gpg-pubkey-66fd4949-4803fe57
Do not match the key you need, or the keys that were used in signing the rpms that you are trying to update to
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 37017186
you would need a key with 37017186
[root@localhost pluginconf.d]# rpm -qa gpg-pubkey
gpg-pubkey-37017186-45761324
So the key that you have located in
/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
is the right one, but it never got imported into the rpm database
adding it to your rpm --import to your kickstart would get you past this issue.
I'm not sure why my yum update worked and yours is not, the only thing I can think of is that it has something to do with the satellite backend version that you are using.
Can you tell me satellite version you are using? Again the rpm --import addition to the kickstart should be a fine workaround.
The satelite version is 5.4.0 ,and for your information we dont have any issue while installing rhel 5.7 at all . This is an issue only when we are installing RHEL 5.8 .
Can you look at the activation key you used and cross reference that against the Satellite server, specifically what custom channel does the activation key align to.
Go into Satellite Server and Click on that channel.
Check the GPG key URL field and confirm that it looks like this
GPG key URL: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Feedback: oops that was it.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
