Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1358942 - deployments shown as '(unsigned)' in output of 'rpm-ostree status' despite being signed
Summary: deployments shown as '(unsigned)' in output of 'rpm-ostree status' despite be...
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: rpm-ostree-client
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Colin Walters
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-21 20:27 UTC by Micah Abbott
Modified: 2016-08-08 22:25 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1209159 None None None Never

Internal Links: 1209159

Description Micah Abbott 2016-07-21 20:27:31 UTC
Related upstream issue(s):  
- https://github.com/projectatomic/rpm-ostree/issues/399
- https://github.com/projectatomic/rpm-ostree/issues/401

In the new output of 'rpm-ostree status', deployments which are signed are not correctly identified as such.  

The UI for 'rpm-ostree status' requires that 'gpg-verify=true' to be configured in the remote config (which is not on by default for RHEL AH composes), but even when this is correctly enabled, the UI does not correctly display the status of the signatures.

The workaround is to restart the 'rpm-ostreed' service after modifying the remote config to show the signature status.



-bash-4.2# grep gpg-verify /etc/ostree/remotes.d/redhat.conf
gpg-verify = false

-bash-4.2# rpm-ostree status
State: idle
Deployments:
● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.2.6 (2016-07-20 19:26:11)
        Commit: 80347b0dce3dc86ad66e559b98b26013480a945bd7e36295bd8757533d540ee9
        OSName: rhel-atomic-host
  GPGSignature: (unsigned)

  rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.2.4 (2016-05-06 05:57:30)
        Commit: b060975ce3d5abbf564ca720f64a909d1a4d332aae39cb4de581611526695a0c
        OSName: rhel-atomic-host
  GPGSignature: (unsigned)

-bash-4.2# ostree show 80347b0dce3dc86ad66e559b98b26013480a945bd7e36295bd8757533d540ee9
commit 80347b0dce3dc86ad66e559b98b26013480a945bd7e36295bd8757533d540ee9
Date:  2016-07-20 19:26:11 +0000
Version: 7.2.6
(no subject)

Found 1 signature:

  Signature made Wed 20 Jul 2016 07:27:58 PM UTC using RSA key ID 938A80CAF21541EB
  Good signature from "Red Hat, Inc. <security@redhat.com>"

-bash-4.2# ostree show b060975ce3d5abbf564ca720f64a909d1a4d332aae39cb4de581611526695a0c
commit b060975ce3d5abbf564ca720f64a909d1a4d332aae39cb4de581611526695a0c
Date:  2016-05-06 05:57:30 +0000
Version: 7.2.4
(no subject)

Found 1 signature:

  Signature made Fri 06 May 2016 06:13:16 AM UTC using RSA key ID 199E2F91FD431D51
  Good signature from "Red Hat, Inc. <security@redhat.com>"

-bash-4.2# vi /etc/ostree/remotes.d/redhat.conf
-bash-4.2# grep gpg-verify /etc/ostree/remotes.d/redhat.conf
gpg-verify = true

-bash-4.2# rpm-ostree status
State: idle
Deployments:
● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.2.6 (2016-07-20 19:26:11)
        Commit: 80347b0dce3dc86ad66e559b98b26013480a945bd7e36295bd8757533d540ee9
        OSName: rhel-atomic-host
  GPGSignature: (unsigned)

  rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.2.4 (2016-05-06 05:57:30)
        Commit: b060975ce3d5abbf564ca720f64a909d1a4d332aae39cb4de581611526695a0c
        OSName: rhel-atomic-host
  GPGSignature: (unsigned)

-bash-4.2# systemctl restart rpm-ostreed
-bash-4.2# rpm-ostree status 
State: idle
Deployments:
● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.2.6 (2016-07-20 19:26:11)
        Commit: 80347b0dce3dc86ad66e559b98b26013480a945bd7e36295bd8757533d540ee9
        OSName: rhel-atomic-host
  GPGSignature: 1 signature
                Signature made Wed 20 Jul 2016 07:27:58 PM UTC using RSA key ID 938A80CAF21541EB
                Good signature from "Red Hat, Inc. <security@redhat.com>"

  rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.2.4 (2016-05-06 05:57:30)
        Commit: b060975ce3d5abbf564ca720f64a909d1a4d332aae39cb4de581611526695a0c
        OSName: rhel-atomic-host
  GPGSignature: 1 signature
                Signature made Fri 06 May 2016 06:13:16 AM UTC using RSA key ID 199E2F91FD431D51
                Good signature from "Red Hat, Inc. <security@redhat.com>"

Comment 1 Micah Abbott 2016-07-21 20:35:30 UTC
The real solution here is to get 'gpg-verify=true' in the remote config for official RHELAH content.

This is discussed in this BZ - https://bugzilla.redhat.com/show_bug.cgi?id=1209159

Comment 3 Micah Abbott 2016-08-01 12:24:31 UTC
Verified in rpm-ostree-client-2016.5-1.atomic.el7.x86_64

Delivered as part of RHELAH 7.2.6


# rpm-ostree status
State: idle
Deployments:
● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.2.6 (2016-07-29 19:54:25)
        Commit: b672bf8a457cb28e003dee20c53749636ef5fce3e4743afe4aaad269d3aaa62a
        OSName: rhel-atomic-host

  rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.2.5 (2016-06-18 15:21:12)
        Commit: 9bfe1fb65094d43e420490196de0e9aea26b3923f1c18ead557460b83356f058
        OSName: rhel-atomic-host


Note You need to log in before you can comment on or make changes to this bug.