RHEL 5.8 gpg key is not getting imported via yum when system is registered to a custom Satellite channel
Environment
- Red Hat Enterprise Linux (RHEL)
- 5.8
- Custom Red Hat Satellite channel
Issue
-
The
gpg
key is not getting imported viayum.repo.d/file
. However, it is possible to manually import usingrpm --import /file name
. But the standard configuration is onyum.repo.d/file
. Below are the entries.[example-base] name=Red Hat Enterprise Linux $releasever - $basearch - basic baseurl=http://xxx.na.xxx.com/Server enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release [updates] name=Red Hat Enterprise Linux $releasever - $basearch - Updates baseurl=http://xxx.na.xxx.com/$releasever/updates/$basearch/ gpgcheck=1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Resolution
Doing a fresh install from dvd kickstart
tree does not import the key from redhat-release
package into the rpm
database. Choose one of the two solutions described below:
-
Confirm that your custom channel that was created has its
GPG
keyURL
: field pointing to the correct keyGPG key URL: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
-
The above is required when using the rhnplugin instead of yum.
Or:
-
Add a
%post
that does the following:rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Root Cause
Missing gpg
key URL
(file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
) in channel configuration.
Diagnostic Steps
-
If the key was registered to an internal Satellite server using the
usr/sbin/rhnreg_ks --force --activationkey=$KEY serverURL=https://$Sat_Server/XMLRPC
for instance, the configuration will not be in/etc/yum.repos.d
. When hooked to a Satellite server, it will use what is within/etc/yum/pluginconf.d/
instead:[root@localhost pluginconf.d]# rhnreg_ks --username=satadmin --password=xyz123 --serverUrl=http://192.168.1.6/XMLRPC [root@localhost pluginconf.d]# pwd /etc/yum/pluginconf.d [root@localhost pluginconf.d]# cat rhnplugin.conf [main] enabled = 1 gpgcheck = 1 # You can specify options per channel, e.g.: # #[rhel-i386-server-5] #enabled = 1 # #[some-unsigned-custom-channel] #gpgcheck = 0
-
Run the
yum update
command:[root@localhost pluginconf.d]# ... ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 2.7 MB/s | 341 MB 02:07 warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 37017186rhel-x86_64-server-5/gpgkey | 1.1 kB 00:00 Importing GPG key 0x37017186 "Red Hat, Inc. (release key) <security@redhat.com>" from /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release | Is this ok [y/N]: y Running rpm_check_debug Running Transaction TestFinished Transaction Test Transaction Test Succeeded Running Transaction Updating : libgcc 1/383 Updating : selinux-policy ... Complete! [root@localhost pluginconf.d]# * If using kickstart from Satellite, depending upon the version, a Satellite update might be required to get the `rpm` key properly imported. Refer to the [Kickstart installation from Satellite v5.3/v5.4 does not import rpm gpg key for RHEL 5.](https://access.redhat.com/knowledge/solutions/37240) for further details. Or just add it to your `rpm --import` to your `%post`. rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
-
Run the following command in the system that is not working and get the
yumupdate.log
file:yum update -y | tee -a yumupdate.log
-
Check if the keys already installed match the required keys or the keys that were used in signing the
rpms
being updated:rpm -qa gpg-pubkey
-
Look at the activation key used and cross reference that against the Satellite server, specifically what custom channel does the activation key align to. Go into Satellite Server and click on that channel. Check the
gpg
keyURL
field and confirm that if it looks like this:GPG key URL: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments