Author Topic: yum install --nogpgcheck and friends  (Read 488 times)

0 Members and 1 Guest are viewing this topic.

Offline yumhamster

  • Jr. Member
  • **
  • Posts: 1
  • Karma: 0
  • I've just joined!
    • View Profile
    • Awards
yum install --nogpgcheck and friends
« on: May 16, 2021, 01:43:03 am »
Hi all,

I'm trying to use yum whilst building a docker image.  Standard stuff.  The docker image is built on a gitlab-runner (via kaniko).  Again standard stuff.

I am trying to install centos-release-scl which has an associated gpg key for rpm verification.

$ yum install -y centos-release-scl

The gitlab admin's in their wisdom have mounted the gitlab-runner docker volume /etc/pki read-only which causes my yum install to fail since it is unable to write the gpg key to /etc/pki/rpm-gpg/ .  They will not change this behaviour.

Is there a way to stop yum from downloading the gpg signature?  It seems there are ways to ask for no gpg checking (eg. via 'gpgcheck = 0' or 'yum install --nogpgcheck' or 'setting yum.conf [main] gpgcheck=0'), but still yum insists on downloading the gpg signature.  And the docker build fails.

/etc/yum/conf
===========
[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
override_install_langs=en_US.utf8
tsflags=nodocs


/etc/yum.repo.d/my.repo
==================
[CentOS_7_extras_x86_64]
metadata_expire = 1
enabled_metadata = 1
sslclientcert = /etc/pki-docker/entitlement/5503589818749365981.pem
baseurl = https://path/to/CentOS_7/extras_x86_64
sslverify = 1
name = co7_extras_x86_64
sslclientkey = /etc/pki-docker/entitlement/5503589818749365981-key.pem
gpgkey = https://path/to/gpg_key_content
enabled = 1
sslcacert = /etc/rhsm/ca/katello-server-ca.pem
gpgcheck = 0

You will notice I have changed /etc/pki to /etc/pki-docker above.  This works well for non-gpg checked repos;  presumably ones where the gpg does not exist at all on the remote satellite mirror.

Running the yum install in a local docker container (ie. not via a gitlab-runner) results in the following highlighting where the gpg signature is downloaded to before installation.

[[email protected] bin]# ls -ltr /etc/pki/rpm-gpg/
total 16
-rw-r--r--.   1 root root 1057 Oct 29  2018 RPM-GPG-KEY-CentOS-SIG-SCLo
   :


Is there a way to stop this?  Alternatively (and preferably) is there a way to have the key saved to my /etc/pki-docker/rpm-gpg directory and installed from there?  Allowing gpg checking to take place?

Help me Obi Wan.  I'm really stumped! 

Offline Keith

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1415
  • Karma: 20
  • Gender: Male
  • Linux Novice
    • View Profile
    • Awards
Re: yum install --nogpgcheck and friends
« Reply #1 on: May 16, 2021, 09:11:01 am »
Hello Yumhamster - and welcome to the Forum.

First of all;  please read the "New Members Start Here" boards before submitting your posts, or they may be deleted. 

I am not familiar with this subject but I noticed a couple of things. 
1. Did the system provide any error messages during the attempted installation?  If so, please post them - the more information that you provide the easier it is for people to assist. 
2. Although the file /etc/pki/rpm-gpg/ is writable by the owner, you might like to try changing the permissions:
Code: [Select]
sudo chmod 777 /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-SCLo
just to cover all possibilities.  Overkill, I know, but worth a try. 
3. Have you checked that the paths to CentOS_7/extras_x86_64 and gpg_key_content actually work?  (always a good idea to provide the paths in your post)

Have a look at
https://stackoverflow.com/questions/42974465/package-verification-keys-for-centos-scl-rpms
https://centos.org/keys/
http://stackoverflow.com/questions/42974465/ddg#43341122
https://unix.stackexchange.com/questions/207907/how-to-fix-gpg-key-retrieval-failed-errno-14

Keith
« Last Edit: May 16, 2021, 09:12:58 am by Keith »

The Linux Community Forum

Re: yum install --nogpgcheck and friends
« Reply #1 on: May 16, 2021, 09:11:01 am »

 


SimplePortal 2.3.3 © 2008-2010, SimplePortal