RHEL 5.8 gpg key is not getting imported via yum when system is registered to a custom Satellite channel

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL)
    • 5.8
  • Custom Red Hat Satellite channel

Issue

  • The gpg key is not getting imported via yum.repo.d/file. However, it is possible to manually import using rpm --import /file name. But the standard configuration is on yum.repo.d/file. Below are the entries.

    [example-base]
name=Red Hat Enterprise Linux $releasever - $basearch - basic
baseurl=http://xxx.na.xxx.com/Server
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

[updates]
name=Red Hat Enterprise Linux $releasever - $basearch - Updates
baseurl=http://xxx.na.xxx.com/$releasever/updates/$basearch/
gpgcheck=1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

Resolution

Doing a fresh install from dvd kickstart tree does not import the key from redhat-release package into the rpm database. Choose one of the two solutions described below:

  • Confirm that your custom channel that was created has its GPG key URL: field pointing to the correct key

    GPG key URL:    file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

  • The above is required when using the rhnplugin instead of yum.

Or:

  • Add a %post that does the following:

    rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

Root Cause

Missing gpg key URL (file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release) in channel configuration.

Diagnostic Steps

  1. If the key was registered to an internal Satellite server using the usr/sbin/rhnreg_ks --force --activationkey=$KEY serverURL=https://$Sat_Server/XMLRPC for instance, the configuration will not be in /etc/yum.repos.d. When hooked to a Satellite server, it will use what is within /etc/yum/pluginconf.d/ instead:

    [root@localhost pluginconf.d]# rhnreg_ks --username=satadmin --password=xyz123 --serverUrl=http://192.168.1.6/XMLRPC

[root@localhost pluginconf.d]# pwd
/etc/yum/pluginconf.d
[root@localhost pluginconf.d]# cat rhnplugin.conf
[main]
enabled = 1
gpgcheck = 1

# You can specify options per channel, e.g.:
#
#[rhel-i386-server-5]
#enabled = 1
#
#[some-unsigned-custom-channel]
#gpgcheck = 0

  2. Run the yum update command:

    [root@localhost pluginconf.d]#
...
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                              2.7 MB/s | 341 MB     02:07
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 37017186rhel-x86_64-server-5/gpgkey                                                                                                                                                                 | 1.1 kB     00:00
Importing GPG key 0x37017186 "Red Hat, Inc. (release key) <security@redhat.com>" from /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release  |
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction TestFinished Transaction Test
Transaction Test Succeeded
Running Transaction
Updating       : libgcc                                                                                          1/383
Updating       : selinux-policy
...
Complete!
[root@localhost pluginconf.d]#

* If using kickstart from Satellite, depending upon the version, a Satellite update might be required to get the `rpm` key properly imported. Refer to the [Kickstart installation from Satellite v5.3/v5.4 does not import rpm gpg key for RHEL 5.](https://access.redhat.com/knowledge/solutions/37240) for further details. Or just add it to your `rpm --import` to your `%post`.

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

  3. Run the following command in the system that is not working and get the yumupdate.log file:

    yum update -y | tee -a yumupdate.log

  4. Check if the keys already installed match the required keys or the keys that were used in signing the rpms being updated:

    rpm -qa gpg-pubkey

  5. Look at the activation key used and cross reference that against the Satellite server, specifically what custom channel does the activation key align to. Go into Satellite Server and click on that channel. Check the gpg key URL field and confirm that if it looks like this:

    GPG key URL: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments