Question - yum channel metadata sign.

[vampywiz17]

Question

Hello there,

I try to set metadata sign with yum repos (centos 7)

What is the correct way to set it? I try everything, set same with ubuntu channels (that works well) but in not help at all...

ERROR. Channel centos7-uyuni-client-x86_64. Cached metadata is not signed.
ERROR. Channel centos7-x86_64. Cached metadata is not signed.
ERROR. Channel centos7-x86_64-custom-packages. Cached metadata is not signed.
ERROR. Channel centos7-x86_64-epel-packages. Cached metadata is not signed.
ERROR. Channel centos7-x86_64-extras. Cached metadata is not signed.
ERROR. Channel centos7-x86_64-updates. Cached metadata is not signed.
ERROR. Channel docker_repo. Cached metadata is not signed.
OK. Channel gitlab_repo. Cached metadata is signed.
ERROR. Channel mysql_80_community. Cached metadata is not signed.
ERROR. Channel nginx-stable. Cached metadata is not signed.
ERROR. Channel remi-php72. Cached metadata is not signed.
ERROR. Channel remi-php74. Cached metadata is not signed.
ERROR. Channel remi-safe. Cached metadata is not signed.
OK. Channel ubuntu-18.04-pool-amd64-uyuni. Cached metadata is signed.
OK. Channel ubuntu-1804-amd64-main-security-uyuni. Cached metadata is signed.
OK. Channel ubuntu-1804-amd64-main-updates-uyuni. Cached metadata is signed.
OK. Channel ubuntu-1804-amd64-main-uyuni. Cached metadata is signed.
OK. Channel ubuntu-1804-amd64-universe-backport-uyuni. Cached metadata is signed.
OK. Channel ubuntu-1804-amd64-universe-updates-uyuni. Cached metadata is signed.
OK. Channel ubuntu-1804-amd64-universe-uyuni. Cached metadata is signed.
OK. Channel ubuntu-1804-amd64-uyuni-client. Cached metadata is signed.
OK. Channel urbackup_repo. Cached metadata is signed.
ERROR. Channel urbackup_repo_centos. Cached metadata is not signed.

I think, this problem connect this one:

https://github.com/uyuni-project/uyuni/issues/4855

Because above only happen with centos repos.

[mcalmer]

Is this reposync on the Uyuni Server? Or is this on the client where you want to sign the metadata of the channels Uyuni generate for the client?

Can yum on CentOS 7 check the metadata signature at all? AFAIK RedHat do not sign them in version 7. So I wonder if yum can handle this at all?

[vampywiz17]

@mcalmer

Is this reposync on the Uyuni Server?

Yes

My main problem is that: https://github.com/uyuni-project/uyuni/issues/4855

I only just think that two thing is connected each other.

The problem is that time to time get 404 error, if i try to update a centos 7 client:

susemanager:nginx-stable/signature                                                                                                    | 1.3 kB  00:00:00 !!!
https://hun25-14v.hft.rosenberger.local:443/rhn/manager/download/remi-php72/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.
To address this issue please refer to the below wiki article

https://wiki.centos.org/yum-errors

If above article doesn't help to resolve this issue please use https://bugs.centos.org/.

susemanager:remi-php72                                                                                                                | 1.3 kB  00:00:00

 One of the configured repositories failed (Remi's PHP 7.2 RPM repository for Enterprise Linux 7),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix" this:

     1. Contact the upstream for the repository and get them to fix the problem.

     2. Reconfigure the baseurl/etc. for the repository, to point to a working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).

     3. Run the command with the repository temporarily disabled
            yum --disablerepo=susemanager:remi-php72 ...

     4. Disable the repository permanently, so yum won't use it by default. Yum
        will then just ignore the repository until you permanently enable it
        again or use --enablerepo for temporary usage:

            yum-config-manager --disable susemanager:remi-php72
        or
            subscription-manager repos --disable=susemanager:remi-php72

     5. Configure the failing repository to be skipped, if it is unavailable.
        Note that yum will try to contact the repo. when it runs most commands,
        so will have to try and fail each time (and thus. yum will be be much
        slower). If it is a very temporary problem though, this is often a nice
        compromise:

            yum-config-manager --save --setopt=susemanager:remi-php72.skip_if_unavailable=true

failure: repodata/repomd.xml.asc from susemanager:remi-php72: [Errno 256] No more mirrors to try.
https://hun25-14v.hft.rosenberger.local:443/rhn/manager/download/remi-php72/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found

Only this commands solve this:

rm -rf /var/cache/rhn/repodata/*

mgr-sign-metadata-ctl regen-metadata

But i dont know, why need to run it, time to time...

My config:

[mcalmer]

We need to separate 2 things here:

1. the repo we want to sync from upstream has signed metadata and we want to use it. In this case you need to check the checkbox in "Repository Details" Has signed Metadata?. If you do this, you need to trust the GPG key and the signature must exist and be valid. If the repo is not signed, you must uncheck that checkbox. Otherwise it will not work.
2. Clients connected to Uyuni, should use signed metadata. First this means you need your own GPG key and you need to sign the metadata with it. That key must be trusted on every client. We have this docs for it. If you follow it, the signature should be generated always when the metadata are regenerated. If this does not work automatically, we have a bug. The main point is, that you need to "enable" this feature with mgr-sign-metadata-ctl enable ....