[Spacewalk-list] Spacewalk/RPM Key Management: [Was: spacewalk 1.3 - python-ethtool package being a problem within kickstart.]
John Hodrien
J.H.Hodrien at leeds.ac.uk
Fri May 20 09:01:13 UTC 2011
On Thu, 19 May 2011, Mark Watts wrote:
> Personally I deal with this by not only loading the keys into Spacewalk
> so they get deployed with the kickstart, but adding them to
> /var/www/html/pub/ so I can rpm --import them directly from the server
> (although rpm uses wget which doesn't trust the Spacewalk CA cert so you
> have to use http:// !)
cp /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT /etc/pki/tls/certs
cacertdir_rehash /etc/pki/tls/certs/
Now wget will be happy. Curl seems to not bother going through that directory
and just looks at the ca-bundle.crt, so just cat it to the end of that and
curl's happy too.
> Musing on this, I wonder if the answer is to get Spacewalk maintain an
> rpm within which all of your keys are stored. Of course you still have
> the problem of what keys to use to sign that rpm, and how to manage those...
Install in the first place with at least your own GPG key included. Then you
can have a package with triggers to install whatever keys you like, that you
could update on the systems. So yes, I don't see why that idea can't work.
Surely everybody already has at least one GPG key of their own?
Personally I stick with just a CentOS key and my own key. Any package that
gets imported from elsewhere gets resigned before it gets imported. But I can
see why others would want multiple keys.
jh
More information about the Spacewalk-list
mailing list