yum install --nogpgcheck and friends

Linux Support
1

Hi all,

I’m trying to use yum whilst building a docker image. Standard stuff. The docker image is built on a gitlab-runner (via kaniko). Again standard stuff.

I am trying to install centos-release-scl which has an associated gpg key for rpm verification.

$ yum install -y centos-release-scl

The gitlab admin’s in their wisdom have mounted the gitlab-runner docker volume /etc/pki read-only which causes my yum install to fail since it is unable to write the gpg key to /etc/pki/rpm-gpg/ . They will not change this behaviour.

Is there a way to stop yum from downloading the gpg signature? It seems there are ways to ask for no gpg checking (eg. via ‘gpgcheck = 0’ or ‘yum install --nogpgcheck’ or ‘setting yum.conf [main] gpgcheck=0’), but still yum insists on downloading the gpg signature. And the docker build fails.

/etc/yum/conf

[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
override_install_langs=en_US.utf8
tsflags=nodocs

/etc/yum.repo.d/my.repo

[CentOS_7_extras_x86_64]
metadata_expire = 1
enabled_metadata = 1
sslclientcert = /etc/pki-docker/entitlement/5503589818749365981.pem
baseurl = https://path/to/CentOS_7/extras_x86_64
sslverify = 1
name = co7_extras_x86_64
sslclientkey = /etc/pki-docker/entitlement/5503589818749365981-key.pem
gpgkey = https://path/to/gpg_key_content
enabled = 1
sslcacert = /etc/rhsm/ca/katello-server-ca.pem
gpgcheck = 0

You will notice I have changed /etc/pki to /etc/pki-docker above. This works well for non-gpg checked repos; presumably ones where the gpg does not exist at all on the remote satellite mirror.

Running the yum install in a local docker container (ie. not via a gitlab-runner) results in the following highlighting where the gpg signature is downloaded to before installation.

[root@9c2e5704abf5 bin]# ls -ltr /etc/pki/rpm-gpg/
total 16
-rw-r–r–. 1 root root 1057 Oct 29 2018 RPM-GPG-KEY-CentOS-SIG-SCLo
:

Is there a way to stop this? Alternatively (and preferably) is there a way to have the key saved to my /etc/pki-docker/rpm-gpg directory and installed from there? Allowing gpg checking to take place?

Help me Obi Wan. I’m really stumped!

2

Hello Yumhamster - and welcome to the Forum.

First of all; please read the “New Members Start Here” boards before submitting your posts, or they may be deleted.

I am not familiar with this subject but I noticed a couple of things.

  1. Did the system provide any error messages during the attempted installation? If so, please post them - the more information that you provide the easier it is for people to assist.
  2. Although the file /etc/pki/rpm-gpg/ is writable by the owner, you might like to try changing the permissions:
sudo chmod 777 /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-SCLo

just to cover all possibilities. Overkill, I know, but worth a try.
3. Have you checked that the paths to CentOS_7/extras_x86_64 and gpg_key_content actually work? (always a good idea to provide the paths in your post)

Have a look at

https://centos.org/keys/

Keith