[Spacewalk-list] automatically adding GPG keys to a host

Wed Dec 12 08:59:14 UTC 2012

Could it be that you should also import the GPG key files on the host when installing the RPM? Only dropping GPG files in a directory isn't enough for the host to use them, you should add to the RPM SPEC file that the host installing the RPM should run rpm --import <GPG file> for every GPG file you drop in there.

Best regards

Frank Mikkelsen Blohmé
Axis Communications AB - IT Group
Sweden, Lund

From: spacewalk-list-bounces at redhat.com [mailto:spacewalk-list-bounces at redhat.com] On Behalf Of Snyder, Chris
Sent: den 10 december 2012 22:30
To: Spacewalk-list at redhat.com
Subject: [Spacewalk-list] automatically adding GPG keys to a host

I want to be able to take a host that is alredy registered to Spacewalk and add a new software channel to it and then have the related GPG key automatically installed on the host.  I'd really like this to NOT involve any human interaction at all, but it always seems to involve a human having to add the GPG key to the host manually somehow.

Here's what I'm currently trying:

I've got an (unsigned) RPM which drops various GPG keys into /etc/pki/rpm-gpg on my hosts.  (This seemed the simplest way to be able to add/update keys in the future on my hosts, but I'm not glued to this idea.) Next, I configured my Spacewalk software channels to use the GPG keys from that RPM, setting location as 'file:///etc/pki/rpm-gpg/blah....'.   Once I enable this software channel for a host, I would expect that when I push packages to my host from Spacewalk, the needed channel GPG key would automatically be added to the RPM keyring on the host.   That doesn't seem to be happening.  After scheduling some package to be installed on the host,  I run 'rhn_check -vv' (on the host) and I see the following error:

D: keyurl = file:///etc/pki/rpm-gpg/<RPM<file:///\\etc\pki\rpm-gpg\%3cRPM> KEY FILE>, isn't a known Red Hat key, so this will not be imported.  Manually import this key or set gpgcheck=0 in the RHN yum plugin configuration file

(This tells me that it is finding the correct GPG file as configured in the software channel, but it just doesn't like my key because I'm not Red Hat.)

I don't want to re configure my hosts to disable gpgcheck, and I can't find any way through Spacewalk to do the equivalent of 'yum -y'  (to auto-accept the key when prompted), so unless I'm really doing something wrong here, it doesn't look like I can simply add a host to a software channel and start pushing packages until a human goes to the host and either runs 'rpm -import <gpg file>' or some variation on 'yum -y install <some package from target channel'>.

Help?

--
Chris Snyder
SRA Senior Linux Geek
Energystar Network O+M Team
ESTAR Issues: https://estar18.energystar.gov/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20121212/0108ae97/attachment.htm>