yum repo gpg signature file missing

[Jason Pyeron]

The repository GGP .asc file(s) are missing.

# curl -v http://pkg.jenkins.io/redhat/repodata/repomd.xml.asc -L
* About to connect() to pkg.jenkins.io port 80 (#0)
* Trying 151.101.66.133... connected
* Connected to pkg.jenkins.io (151.101.66.133) port 80 (#0)
> GET /redhat/repodata/repomd.xml.asc HTTP/1.1
> User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7 NSS/3.44 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: pkg.jenkins.io
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: Varnish
< Retry-After: 0
< Location: https://pkg.jenkins.io/redhat/repodata/repomd.xml.asc
< Content-Length: 0
< Accept-Ranges: bytes
< Date: Thu, 21 May 2020 14:19:12 GMT
< Via: 1.1 varnish
< Connection: close
< X-Served-By: cache-dca17762-DCA
< X-Cache: HIT
< X-Cache-Hits: 0
< X-Timer: S1590070752.250345,VS0,VE0
< Strict-Transport-Security: max-age=300
<
* Closing connection #0
* Issue another request to this URL: 'https://pkg.jenkins.io/redhat/repodata/repomd.xml.asc'
* About to connect() to pkg.jenkins.io port 443 (#0)
* Trying 151.101.2.133... connected
* Connected to pkg.jenkins.io (151.101.2.133) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=pkg.jenkins.io
* start date: Apr 22 12:02:54 2020 GMT
* expire date: Jul 21 12:02:54 2020 GMT
* common name: pkg.jenkins.io
* issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
> GET /redhat/repodata/repomd.xml.asc HTTP/1.1
> User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7 NSS/3.44 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: pkg.jenkins.io
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Connection: keep-alive
< Content-Length: 228
< Server: Apache/2.4.29 (Ubuntu)
< Content-Type: text/html; charset=iso-8859-1
< Accept-Ranges: bytes
< Date: Thu, 21 May 2020 14:19:12 GMT
< Via: 1.1 varnish
< Age: 0
< X-Served-By: cache-dca17757-DCA
< X-Cache: MISS
< X-Cache-Hits: 0
< X-Timer: S1590070752.409173,VS0,VE8
< Strict-Transport-Security: max-age=300
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /redhat/repodata/repomd.xml.asc was not found on this server.</p>
</body></html>
* Connection #0 to host pkg.jenkins.io left intact
* Closing connection #0


--
Jason Pyeron | Architect
PD Inc |
10 w 24th St |
Baltimore, MD |

.mil: jason.j.p...@mail.mil
.com: jpy...@pdinc.us
tel : 202-741-9397

[Mark Waite]

Thanks for letting us know.  I'm investigating now.

[Mark Waite]

I confirm that I don't see it there, but I am not sure it has ever been there.

I just performed an install of Jenkins 2.237 on a CentOS 7 system following the instructions at https://www.jenkins.io/doc/book/installing/#red-hat-centos and it ran without issue.  The automated tests which check for install on various operating systems all pass on Jenkins 2.237 as well.  That probably means more tests are needed to detect this case.

What's the failure that you're seeing due to the missing 'asc' file?

Mark Waite

[Jason Pyeron]

This is depending on the OS installation choices, security choices, etc…

 

failure: repodata/repomd.xml.asc from jenkins: [Errno 256] No more mirrors to try.

https://pkg.jenkins.io/redhat/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found

 

Based on how Jenkins is delivering the yum repo these are how the repo files should be delivered:

 

https://pkg.jenkins.io/redhat-stable/jenkins.repo:

[jenkins-stable]

name=Jenkins-stable

baseurl=https://pkg.jenkins.io/redhat-stable

gpgcheck=1

repo_gpgcheck=0

gpgkey=https://pkg.jenkins.io/redhat-stable/jenkins.io.key

 

and

https://pkg.jenkins.io/redhat/jenkins.repo:

[jenkins]

name=Jenkins

baseurl=https://pkg.jenkins.io/redhat

gpgcheck=1

repo_gpgcheck=0

gpgkey=https://pkg.jenkins.io/redhat/jenkins.io.key

 

I highlighted the changed portions. If those are changed accordingly, the problem should be moot.

 

But having the repo GPG signed is a good thing.

 

 

v/r,

 

Jason Pyeron

 

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/5a8a2b6e-740f-4afb-b9d2-4d0db2e810da%40googlegroups.com.

[Mark Waite]

Thanks.  I think I understand all the changes except the change from [jenkins] to [jenkins-stable] in the redhat-stable repository.

Won't that risk that some installed systems will think that they now have a new repository source named "jenkins-stable" that is different than the "jenkins" that they had before that change?

I had assumed that the name "[jenkins]" was one way of requiring that a system choose either Jenkins LTS or Jenkins Weekly, without choosing both Jenkins LTS and Jenkins Weekly.  The usual caveat applies.  I am not expert in Red Hat package management.  I just want to do the best thing for Jenkins users.

Mark Waite

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/0a2c01d62f96%240a8e34e0%241faa9ea0%24%40pdinc.us.

[Jason Pyeron]

Well on systems where both repos exist, there is a conflict in name.

 

Think of it this way…

 

Jenkins enabled=0

Jenkins-stable enabled=1

 

Happily auto updating…..

 

Oh no, there is an issue – the fix is in Jenkins v.x.y.z, stable is not there yet.

 

yum –enablerepo=jenkins update

 

@phew, now we have this bleeding edge fix, when the stable repo has a newer version # it will get upgraded.

 

 

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtGOwr%3Dao5XMcpdjZE-FNV2qg594Ssv9KCrf_Wc6GODQqw%40mail.gmail.com.

[Mark Waite]

I'm less concerned about the affect on systems which have both repos enabled, since I expect that to be very few.

I'm concerned that change the string inside the square brackets from "jenkins" to "jenkins-stable" may cause systems that previously had one yum repository for Jenkins to be confused and think they have two.  If you can confirm that confusion won't happen, then I don't object to the change.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/0ad601d62fbc%24792763b0%246b762b10%24%40pdinc.us.

[Jason Pyeron]

That file is only used when setting up the yum repository the first time. Your change will not change anyone’s file configured in the past. So no your change will not break anyone.

 

The changes will only be seen by those newly following the instructions at https://pkg.jenkins.io/redhat/ or at https://pkg.jenkins.io/redhat-stable/ .

 

For that fact, it is important that each repository section has a unique name, without that things could get weird at best or just not work.

 

v/r,

 

Jason

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtGD3LpkhiPub-1SKYsmSkCWjbVhVFfG%2B1Ttab3nuggA8g%40mail.gmail.com.

[Mark Waite]

Thanks for the clarification.  I've submitted JENKINS-62400 to track it.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/0aff01d62fc1%2495a54c00%24c0efe400%24%40pdinc.us.