RPM gpg key verification failure on install

[joneste]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 5.3.3
• Ruby:
• Distribution: CentOS7.4
• Module version: commit ee41fdc (2/10/18)

How to reproduce (e.g Puppet code you use)

class { 'gitlab':
edition => 'ee',
}

What are you seeing

Here is output showing the error.

Notice: /Stage[main]/Gitlab::Install/Yumrepo[gitlab_official_ee]/ensure: created
Error: Execution of '/bin/yum -d 0 -e 0 -y install gitlab-ee' returned 1: Importing GPG key 0xF27EAB47:
Userid : "GitLab, Inc. support@gitlab.com"
Fingerprint: dbef 8977 4ddb 9eb3 7d9f c3a0 3cfc f9ba f27e ab47
From : https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey/gitlab-gitlab-ee-3D645A26AB9FBD22.pub.gpg

One of the configured repositories failed (Official repository for Gitlab),
and yum doesn't have enough cached data to continue. At this point the only
safe thing yum can do is fail. There are a few ways to work "fix" this:

 1. Contact the upstream for the repository and get them to fix the problem.

 2. Reconfigure the baseurl/etc. for the repository, to point to a working
    upstream. This is most often useful if you are using a newer
    distribution release than is supported by the repository (and the
    packages for the previous distribution release still work).

 3. Run the command with the repository temporarily disabled
        yum --disablerepo=gitlab_official_ee ...

 4. Disable the repository permanently, so yum won't use it by default. Yum
    will then just ignore the repository until you permanently enable it
    again or use --enablerepo for temporary usage:

        yum-config-manager --disable gitlab_official_ee
    or
        subscription-manager repos --disable=gitlab_official_ee

 5. Configure the failing repository to be skipped, if it is unavailable.
    Note that yum will try to contact the repo. when it runs most commands,
    so will have to try and fail each time (and thus. yum will be be much
    slower). If it is a very temporary problem though, this is often a nice
    compromise:

        yum-config-manager --save --setopt=gitlab_official_ee.skip_if_unavailable=true

failure: repodata/repomd.xml from gitlab_official_ee: [Errno 256] No more mirrors to try.
https://packages.gitlab.com/gitlab/gitlab-ee/el/7/x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature could not be verified for gitlab_official_ee
Error: /Stage[main]/Gitlab::Install/Package[gitlab-ee]/ensure: change from 'purged' to 'present' failed: Execution of '/bin/yum -d 0 -e 0 -y install gitlab-ee' returned 1: Importing GPG key 0xF27EAB47:
Userid : "GitLab, Inc. support@gitlab.com"
Fingerprint: dbef 8977 4ddb 9eb3 7d9f c3a0 3cfc f9ba f27e ab47
From : https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey/gitlab-gitlab-ee-3D645A26AB9FBD22.pub.gpg

One of the configured repositories failed (Official repository for Gitlab),
and yum doesn't have enough cached data to continue. At this point the only
safe thing yum can do is fail. There are a few ways to work "fix" this:

 1. Contact the upstream for the repository and get them to fix the problem.

 2. Reconfigure the baseurl/etc. for the repository, to point to a working
    upstream. This is most often useful if you are using a newer
    distribution release than is supported by the repository (and the
    packages for the previous distribution release still work).

 3. Run the command with the repository temporarily disabled
        yum --disablerepo=gitlab_official_ee ...

 4. Disable the repository permanently, so yum won't use it by default. Yum
    will then just ignore the repository until you permanently enable it
    again or use --enablerepo for temporary usage:

        yum-config-manager --disable gitlab_official_ee
    or
        subscription-manager repos --disable=gitlab_official_ee

 5. Configure the failing repository to be skipped, if it is unavailable.
    Note that yum will try to contact the repo. when it runs most commands,
    so will have to try and fail each time (and thus. yum will be be much
    slower). If it is a very temporary problem though, this is often a nice
    compromise:

        yum-config-manager --save --setopt=gitlab_official_ee.skip_if_unavailable=true

failure: repodata/repomd.xml from gitlab_official_ee: [Errno 256] No more mirrors to try.
https://packages.gitlab.com/gitlab/gitlab-ee/el/7/x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature could not be verified for gitlab_official_ee

What behaviour did you expect instead

I expect the gpg keys to be imported and gitlab to be installed.

Output log

Please see above

Any additional information you'd like to impart

I think similar issue was brought up in issue #163. However, the issue was closed.

[LongLiveCHIEF]

Can you try running yum cache clean all and then retry?

[joneste]

Running a clean all did not help. The problem appears to be having the repo_gpgcheck repo file option set to 1. I do not know if this is a recent or temporary issue with the Gitlab repo, but I have always had problems with this setting. Once I changed it to zero, a yum install from the CLI worked fine. I'll check to see if this setting is exposed as a parameter.

[LongLiveCHIEF]

It should be, I think I'm the one who added it. There can be some things in between yum and the package origin that can sometimes cause delays for gpg key matching. Any servers in-between that have caching for example, or expiry settings for metadata. Or it could legitimately be a corrupted source, so you'll want to verify that as well.

…

On Feb 15, 2018 1:17 PM, "joneste" ***@***.***> wrote: Running a clean all did not help. The problem appears to be having the repo_gpgcheck repo file option set to 1. I do not know if this is a recent or temporary issue with the Gitlab repo, but I have always had problems with this setting. Once I changed it to zero, a yum install from the CLI worked fine. I'll check to see if this setting is exposed as a parameter. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#194 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADIVgR5RdBOQdhk8NWfrO-UlEoEa1mKIks5tVILAgaJpZM4SHUIg> .

[joneste]

I believe this issue is a temporary repository issue with gitlab. Therefore, the gitlab module is not at fault.

[bFekete]

@joneste Was this issue ever resolved? I'm currently running into the same exact issued on RHEL 7.

Found the issue. The gpg key had a reference to the CE gpg key.

[LongLiveCHIEF]

This issues is resolved in master but hasn't made an official release yet. I'm prepping the release for today, so keep an eye out to update to the next version when it hits the forge.