[Spacewalk-list] Issues with SLES 11 SP3 - NOKEY and Support level

Will, Chris CWill at bcbsm.com
Mon Oct 19 15:57:18 UTC 2015 

I have removed the gpg info from the channels, rebuilt the rpm database on the spacewalk server but I am still getting the following message on a spacewalk client on the "zypper up" command.

The following packages are going to be upgraded:
  glibc glibc-32bit glibc-i18ndata glibc-locale glibc-locale-32bit inst-source-utils kernel-default kernel-default-base kernel-default-man libgcrypt11 libgcrypt11-32bit nscd openssh release-notes-sles rpcbind
  s390-tools spacewalk-check spacewalk-client-setup spacewalk-client-tools suseRegisterInfo timezone usbutils xorg-x11-Xvnc zypp-plugin-spacewalk

The following packages are not supported by their vendor:
  glibc glibc-32bit glibc-i18ndata glibc-locale glibc-locale-32bit inst-source-utils kernel-default kernel-default-base kernel-default-man libgcrypt11 libgcrypt11-32bit nscd openssh release-notes-sles rpcbind
  s390-tools spacewalk-check spacewalk-client-setup spacewalk-client-tools suseRegisterInfo timezone usbutils xorg-x11-Xvnc zypp-plugin-spacewalk

This is for a SLES 11 SP4 install.  I have the following gpg keys installed on this client.

gpg-pubkey-1d061a62-4bd70bfa
gpg-pubkey-81a30249-4cc82afd
gpg-pubkey-3d25d3d9-36e12d04
gpg-pubkey-81a30249-4cc82afd
gpg-pubkey-0dfb3188-41ed929b
gpg-pubkey-9c800aca-4be01999
gpg-pubkey-81a30249-4cc82afd
gpg-pubkey-81a30249-4cc82afd
gpg-pubkey-a1912208-446a0899
gpg-pubkey-b37b98a9-4be01a1a
gpg-pubkey-307e3d54-4be01a65
gpg-pubkey-7e2e3b05-4be037ca
gpg-pubkey-81a30249-4cc82afd

Chris Will

-----Original Message-----
From: spacewalk-list-bounces at redhat.com [mailto:spacewalk-list-bounces at redhat.com] On Behalf Of Mattias Giese
Sent: Monday, October 12, 2015 1:19 PM
To: spacewalk-list at redhat.com
Subject: Re: [Spacewalk-list] Issues with SLES 11 SP3 - NOKEY and Support level

Heya,

On 12/10/15 14:59:42, Will, Chris wrote:
> Thanks for your help.  So I can assume that when I issue the rpm -qip xxx command on the spacewalk server, it will always show the NOKEY.  Which key should be copied/imported to the client?  I have a few in the /pub directory.
> 
> RHN-ORG-TRUSTED-SSL-CERT-SUSE
> RHN-ORG-TRUSTED-SSL-CERT-SLES <- This is the one I copied from Novell.

Well, that depends on the distribution release. Normally the key is imported during the installation process. Do not name the gpg keys RHN-ORG-TRUSTED-SSL-CERT* because it is misleading.
RHN-ORG-TRUSTED-SSL-CERT is the SSL CA certificate, not a gpg public key.
If that's not the case you may find the needed keys on the installation media in the root.
Example using SLE12:

<snip>
vagrant at sles12:~> cd /path/to/installmedia-mountpoint/ vagrant at sles12:~> ls gpg-pubkey-* gpg-pubkey-39db7c82-510a966b.asc  gpg-pubkey-50a3dd1c-50f35137.asc rpm --import gpg-pubkey-39db7c82-510a966b.asc rpm --import gpg-pubkey-50a3dd1c-50f35137.asc vagrant at sles12:~> rpm -qa |grep gpg-pubkey gpg-pubkey-39db7c82-510a966b
gpg-pubkey-50a3dd1c-50f35137
</snip>

But as i said earlier: the SUSE signing key should already be imported on a system which was properly installed.

HTH,

Mattias


> 
> RHN-ORG-TRUSTED-SSL-CERT
> 
> Chris Will
> 
> -----Original Message-----
> From: spacewalk-list-bounces at redhat.com 
> [mailto:spacewalk-list-bounces at redhat.com] On Behalf Of Reed, Steven
> Sent: Saturday, October 10, 2015 8:59 AM
> To: spacewalk-list at redhat.com
> Subject: Re: [Spacewalk-list] Issues with SLES 11 SP3 - NOKEY and 
> Support level
> 
> Mattias is correct when used with spacewalk zypper uses the --no-gpgkeys option.  Remove the gpg info.
> 
> -----Original Message-----
> From: spacewalk-list-bounces at redhat.com 
> [mailto:spacewalk-list-bounces at redhat.com] On Behalf Of Mattias Giese
> Sent: Saturday, 10 October 2015 8:17 PM
> To: spacewalk-list at redhat.com
> Subject: Re: [Spacewalk-list] Issues with SLES 11 SP3 - NOKEY and 
> Support level
> 
> Heya,
> 
> On 09/10/15 14:10:09, Will, Chris wrote:
> > Hello,
> >
> > I have the following issue when I try to update my SLES 11 SP3 servers.
> >
> > The following packages are going to be upgraded:
> >   inst-source-utils libgcrypt11 libgcrypt11-32bit libicu libmysqlclient_r15 spacewalk-check spacewalk-client-setup
> >   spacewalk-client-tools spacewalksd zypp-plugin-spacewalk
> >
> > The following packages are not supported by their vendor:
> >   inst-source-utils libgcrypt11 libgcrypt11-32bit libicu libmysqlclient_r15 spacewalk-check spacewalk-client-setup
> >   spacewalk-client-tools spacewalksd zypp-plugin-spacewalk
> >
> > When I list the RPM packages with rpm -qip xxxxx I get the following output.
> >
> > php53-sysvshm-5.3.17-45.1.s390x.rpm
> > [root at rhelspacedev1 4bbe516c1893601f2f8015845a646094]# rpm -qip 
> > php53-sysvshm-5.3.17-45.1.s390x.rpm
> > warning: php53-sysvshm-5.3.17-45.1.s390x.rpm: Header V3 RSA/SHA256 Signature, key ID 307e3d54: NOKEY
> > Name        : php53-sysvshm                Relocations: (not relocatable)
> > Version     : 5.3.17                            Vendor: SUSE LINUX Products GmbH, Nuernberg, Germany
> > Release     : 45.1                          Build Date: Wed 29 Jul 2015 04:37:43 AM EDT
> > Install Date: (not installed)               Build Host: s390lp5
> > Group       : Development/Languages/Other   Source RPM: php53-5.3.17-45.1.src.rpm
> > Size        : 14849                            License: PHP-3.01
> > Signature   : RSA/8, Tue 01 Sep 2015 12:58:36 AM EDT, Key ID e3a5c360307e3d54
> > Packager    : https://www.suse.com/
> > URL         : http://www.php.net
> > Summary     : PHP5 Extension Module
> > Description :
> > PHP interface for System V shared memory.
> >
> > Authors: The PHP Group See http://www.php.net/credits.php for more 
> > details
> 
> You have not imported the gpg keys an the system itself (using rpm
> --import)
> >
> > I also have the GPG key URL, GPG key ID and GPG key Fingerprint fields filled in.  I can successfully mirror channels but not sure why I am getting the above errors.
> 
> I find it kinda interesting that repository refreshing itself works. For SUSE systems you should not configure any GPG settings for a channel, because it will IIRC cause the spacewalk plugin for zypper to turn on gpg checking globally (for repo metadata and packages). As spacewalk cannot sign repository metadata zypper shoulld refuse to do anything at all. zypper will turn off gpg checking if you remove the gpg info from the channel and it should work for you. This is also the default with SUSE Manager.
> 
> Regards,
> 
> Mattias
> 
> --
> Mattias Giese
> System Management & Monitoring Architect
> 
> B1 Systems GmbH
> Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
> GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
> 
> This email (including any attachments) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee(s). If you have received this email in error, please notify the sender by return email, delete this email and destroy any copy. Any use, distribution, disclosure or copying of this email by a person who is not the intended recipient is not authorised.
> 
> Views expressed in this email are those of the individual sender, and are not necessarily the views of Transport for NSW, Department of Transport or any other NSW government agency. Transport for NSW and the Department of Transport assume no liability for any loss, damage or other consequence which may arise from opening or using an email or attachment.
> Please visit us at http://www.transport.nsw.gov.au or 
> http://www.transportnsw.info
> 
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
> 
> 
> The information contained in this communication is highly confidential and is intended solely for the use of the individual(s) to whom this communication is directed. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information is prohibited. Please notify the sender, by electronic mail or telephone, of any unintended receipt and delete the original message without making any copies.
>  
>  Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association.
> 
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list

--
Mattias Giese
System Management & Monitoring Architect

B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537


The information contained in this communication is highly confidential and is intended solely for the use of the individual(s) to whom this communication is directed. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information is prohibited. Please notify the sender, by electronic mail or telephone, of any unintended receipt and delete the original message without making any copies.
 
 Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association.

More information about the Spacewalk-list mailing list