[Spacewalk-list] debian repository and Release file
Simon Lukasik
slukasik at redhat.com
Mon Jan 21 12:04:09 UTC 2013
On 01/17/2013 02:13 PM, Mgr. Peter Hudec wrote:
> Hi all,
>
> We are using spacewalk system for debian based systems.
> We want to use the GPG verification of the packages/repository.
>
> 1) signing repository
> Debian is using Release and Release.gpg files for this purpose. Is there
> any way how to generate these files in spacewalk system ? The only
> generated file is right now Packages.
>
> I haven;t found any way how to add this file to the repository manually or
> generate it on the fly.
>
Hello Peter,
It is true that Packages.gz metadata are not signed by Spacewalk server.
However, I don't understand why that should be a concern.
If your client is configured to use HTTPS, it authenticates the server
based on the server certificate. The server then authenticates client
based on its system id. The Package.gz is served only to the clients
after mutual authentication. The same applies for each deb or rpm
package served from Spacewalk to client.
So, I fail to see problem that you are trying to solve with signed
Package.gz.
--
Simon Lukasik
Security Technologies
More information about the Spacewalk-list
mailing list