<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html> <head> <meta name="Generator" content="Zarafa WebAccess v7.0.1-28479"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>RE: [Spacewalk-list] Resign Packages</title> <style type="text/css"> body { font-family: Arial, Verdana, Sans-Serif ! important; font-size: 12px; padding: 5px 5px 5px 5px; margin: 0px; border-style: none; background-color: #ffffff; } p, ul, li { margin-top: 0px; margin-bottom: 0px; } </style> </head> <body> Hi, Before loading packages into spacewalk I resign my packages with the GPG key I created for the base channel. This works fine to me, but of course will not work when chennel gets loaded with (a remote) repository sync. To do latter, setup a local repository and arrange it that when a new downloaded packages arrivés it gets resigned before it gets loaded into spacewalk. A simple rpm -resign is sufficient (GPG key has been setup by a .rpmmacros file). Rick <blockquote style="padding-left: 5px; margin-left: 5px; border-left: #325fba 2px solid">-----Oorspronkelijk bericht----- Aan: spacewalk-list@redhat.com; Van: Frank Paulick <frank.paulick@baaderbank.de> Verzonden: vr 15-11-2013 13:28 Onderwerp: Re: [Spacewalk-list] Resign Packages are the any plans to extend the spacewalk-repo-sync functionality with resigning incoming packages with supplied own GPG Key ? on the other hand, does no one use own Keys for all files in spacewalk ? Regards Frank On 11/14/2013 01:55 PM, Milan Zázrivec wrote: > On Thursday 14 November 2013 10:59:39 Frank Paulick wrote: >> this works for 1 or 2 packages. >> i would like to resign all packages already imported in my spacewalk >> server (~30000 Packages) >> at best without resyncing them from the external repositories >> as far as i know there is also no way to resign packages imported by >> using "spacewalk-repo-sync" >> >> to summarize, how can i resign all packages for a local spacewalk server >> with my own key ? > Re-sign all rpms on your /var/satellite and somehow make Spacewalk > automatically pick up (i.e. recompute checksums, re-generate repodata) > the newly signed content? I'm afraid that's not possible. > > By re-signing the package, you effectively changed it (its checksum and > signature anyway). At this point, your Spacewalk won't do anything. And yes, > yum on the client side will report checksum mismatches, b/c that's what > happened, right? You wouldn't want someone to alter the package content > and expect your Spacewalk to act like it's okay, would you? > > So if you trust the new (re-signed) rpms, you need to re-push / re-sync them > to your Spacewalk channels. This needs to be a deliberate action, same way > re-signing the rpms was a deliberate action. > > This of course can be automated with API & rhnpush: you will simply have > a list of packages that you need to re-push, delete the old one (using API) > and re-push it into its channel(s) using rhnpush. > > -MZ > >> On 11/14/2013 10:51 AM, Milan Zázrivec wrote: >>> On Thursday 14 November 2013 10:48:26 Frank Paulick wrote: >>>> Hi, >>>> >>>> is there a way/procedure to resign already in spacewalk imported rpm >>>> packages with a new key? >>>> >>>> when doing a "rpm --resign" on an rpm package laying in /var/satellite , >>>> the client can't download the package afterwards anymore. >>>> it quits with the message >>>> >>>> error was [Errno -1] Package does not match intended download >>>> >>>> the suggested "yum clean metadata" did not help >>>> >>>> as far as i can see because of the resign the rpm package has changed >>>> and spacewalk doesn't yet know about it. >>>> if i'm right with this, how can i get spacewalk to update it's >>>> information on the package ? >>> Delete it & re-push the package again. >>> >>> -MZ >>> >>> _______________________________________________ >>> Spacewalk-list mailing list >>> Spacewalk-list@redhat.com >>> https://www.redhat.com/mailman/listinfo/spacewalk-list > > _______________________________________________ > Spacewalk-list mailing list > Spacewalk-list@redhat.com > https://www.redhat.com/mailman/listinfo/spacewalk-list -- beste Grüße, Frank Paulick Baader Bank AG Weihenstephaner Str. 4 85716 Unterschleißheim Deutschland Telefon: +49-89/5150-1522 Telefax: +49-89/5150-2421 Email: frank.paulick@baaderbank.de Internet: http://www.baaderbank.de http://www.bondboard.de ****************************************************************************************************** Baader Bank AG: Vorstand: Uto Baader (Vors.), Nico Baader, Dieter Brichmann, Dieter Silmen; Vorsitzender des Aufsichtsrates: Dr. Horst Schiessl; Amtsgericht München HRB 121537; Sitz der Gesellschaft: Unterschleissheim; StNr. 143/100/10066; USt-IdNr. DE114123893. ****************************************************************************************************** Diese Email enthält vertrauliche Informationen. Sollten Sie diese Email irrtümlich erhalten, machen wir Sie darauf aufmerksam, dass jegliche Verwendung strikt untersagt ist. Bitte informieren Sie uns gegebenenfalls unverzüglich und vernichten Sie das Original. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Email ist nicht gestattet. Wir haben alle verkehrsüblichen Maßnahmen unternommen, um das Risiko der Verbreitung virenbefallener Software oder Emails zu minimieren, dennoch raten wir Ihnen, Ihre eigenen Virenkontrollen auf alle Anhänge an dieser Nachricht durchzuführen. Wir schließen außer für den Fall von Vorsatz die Haftung für jeglichen Verlust oder Schäden durch virenbefallene Software oder Emails aus. _______________________________________________ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list </blockquote> </body> </html>