[Spacewalk-list] Issues with SLES 11 SP3 - NOKEY and Support level

Mattias Giese giese at b1-systems.de
Mon Oct 12 17:19:08 UTC 2015 

Heya,

On 12/10/15 14:59:42, Will, Chris wrote:
> Thanks for your help.  So I can assume that when I issue the rpm -qip xxx command on the spacewalk server, it will always show the NOKEY.  Which key should be copied/imported to the client?  I have a few in the /pub directory.
> 
> RHN-ORG-TRUSTED-SSL-CERT-SUSE
> RHN-ORG-TRUSTED-SSL-CERT-SLES <- This is the one I copied from Novell.

Well, that depends on the distribution release. Normally the key is imported during the installation
process. Do not name the gpg keys RHN-ORG-TRUSTED-SSL-CERT* because it is misleading.
RHN-ORG-TRUSTED-SSL-CERT is the SSL CA certificate, not a gpg public key.
If that's not the case you may find the needed keys on the installation media in the root.
Example using SLE12:

<snip>
vagrant at sles12:~> cd /path/to/installmedia-mountpoint/
vagrant at sles12:~> ls gpg-pubkey-*
gpg-pubkey-39db7c82-510a966b.asc  gpg-pubkey-50a3dd1c-50f35137.asc
rpm --import gpg-pubkey-39db7c82-510a966b.asc
rpm --import gpg-pubkey-50a3dd1c-50f35137.asc
vagrant at sles12:~> rpm -qa |grep gpg-pubkey
gpg-pubkey-39db7c82-510a966b
gpg-pubkey-50a3dd1c-50f35137
</snip>

But as i said earlier: the SUSE signing key should already be imported on a system which was
properly installed.

HTH,

Mattias


> 
> RHN-ORG-TRUSTED-SSL-CERT
> 
> Chris Will
> 
> -----Original Message-----
> From: spacewalk-list-bounces at redhat.com [mailto:spacewalk-list-bounces at redhat.com] On Behalf Of Reed, Steven
> Sent: Saturday, October 10, 2015 8:59 AM
> To: spacewalk-list at redhat.com
> Subject: Re: [Spacewalk-list] Issues with SLES 11 SP3 - NOKEY and Support level
> 
> Mattias is correct when used with spacewalk zypper uses the --no-gpgkeys option.  Remove the gpg info.
> 
> -----Original Message-----
> From: spacewalk-list-bounces at redhat.com [mailto:spacewalk-list-bounces at redhat.com] On Behalf Of Mattias Giese
> Sent: Saturday, 10 October 2015 8:17 PM
> To: spacewalk-list at redhat.com
> Subject: Re: [Spacewalk-list] Issues with SLES 11 SP3 - NOKEY and Support level
> 
> Heya,
> 
> On 09/10/15 14:10:09, Will, Chris wrote:
> > Hello,
> >
> > I have the following issue when I try to update my SLES 11 SP3 servers.
> >
> > The following packages are going to be upgraded:
> >   inst-source-utils libgcrypt11 libgcrypt11-32bit libicu libmysqlclient_r15 spacewalk-check spacewalk-client-setup
> >   spacewalk-client-tools spacewalksd zypp-plugin-spacewalk
> >
> > The following packages are not supported by their vendor:
> >   inst-source-utils libgcrypt11 libgcrypt11-32bit libicu libmysqlclient_r15 spacewalk-check spacewalk-client-setup
> >   spacewalk-client-tools spacewalksd zypp-plugin-spacewalk
> >
> > When I list the RPM packages with rpm -qip xxxxx I get the following output.
> >
> > php53-sysvshm-5.3.17-45.1.s390x.rpm
> > [root at rhelspacedev1 4bbe516c1893601f2f8015845a646094]# rpm -qip 
> > php53-sysvshm-5.3.17-45.1.s390x.rpm
> > warning: php53-sysvshm-5.3.17-45.1.s390x.rpm: Header V3 RSA/SHA256 Signature, key ID 307e3d54: NOKEY
> > Name        : php53-sysvshm                Relocations: (not relocatable)
> > Version     : 5.3.17                            Vendor: SUSE LINUX Products GmbH, Nuernberg, Germany
> > Release     : 45.1                          Build Date: Wed 29 Jul 2015 04:37:43 AM EDT
> > Install Date: (not installed)               Build Host: s390lp5
> > Group       : Development/Languages/Other   Source RPM: php53-5.3.17-45.1.src.rpm
> > Size        : 14849                            License: PHP-3.01
> > Signature   : RSA/8, Tue 01 Sep 2015 12:58:36 AM EDT, Key ID e3a5c360307e3d54
> > Packager    : https://www.suse.com/
> > URL         : http://www.php.net
> > Summary     : PHP5 Extension Module
> > Description :
> > PHP interface for System V shared memory.
> >
> > Authors: The PHP Group See http://www.php.net/credits.php for more 
> > details
> 
> You have not imported the gpg keys an the system itself (using rpm
> --import)
> >
> > I also have the GPG key URL, GPG key ID and GPG key Fingerprint fields filled in.  I can successfully mirror channels but not sure why I am getting the above errors.
> 
> I find it kinda interesting that repository refreshing itself works. For SUSE systems you should not configure any GPG settings for a channel, because it will IIRC cause the spacewalk plugin for zypper to turn on gpg checking globally (for repo metadata and packages). As spacewalk cannot sign repository metadata zypper shoulld refuse to do anything at all. zypper will turn off gpg checking if you remove the gpg info from the channel and it should work for you. This is also the default with SUSE Manager.
> 
> Regards,
> 
> Mattias
> 
> --
> Mattias Giese
> System Management & Monitoring Architect
> 
> B1 Systems GmbH
> Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
> GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
> 
> This email (including any attachments) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee(s). If you have received this email in error, please notify the sender by return email, delete this email and destroy any copy. Any use, distribution, disclosure or copying of this email by a person who is not the intended recipient is not authorised.
> 
> Views expressed in this email are those of the individual sender, and are not necessarily the views of Transport for NSW, Department of Transport or any other NSW government agency. Transport for NSW and the Department of Transport assume no liability for any loss, damage or other consequence which may arise from opening or using an email or attachment.
> Please visit us at http://www.transport.nsw.gov.au or http://www.transportnsw.info
> 
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
> 
> 
> The information contained in this communication is highly confidential and is intended solely for the use of the individual(s) to whom this communication is directed. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information is prohibited. Please notify the sender, by electronic mail or telephone, of any unintended receipt and delete the original message without making any copies.
>  
>  Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association.
> 
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list

-- 
Mattias Giese
System Management & Monitoring Architect

B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20151012/a2f22f4f/attachment.sig>

More information about the Spacewalk-list mailing list