[Spacewalk-list] debian repository and Release file
Mgr. Peter Hudec
peter.hudec at swan.sk
Mon Jan 21 12:46:45 UTC 2013
Hello Simon,
we need to implement the secure way of installing the packages.
All packages in the spacewalk repo must be trusted. we tryied to satup
the SecureApt and therefor i was looging for Packages.gz, Release and
Release.gpg.
It should not be big deal to implement this into spacewalk server and
client part.
After some tests we choose the second way, to sign the debs. It's much
more secure and it fullfill our needs without touching spacewalk code.
Righ now there are 2 signs needed /origin, maintener/ to install the DEB
from any repository. So noboby could fake the DEB and put it into repo.
SecureApt did not solved this problem ..
best regards
Peter
On 1/21/13 1:04 PM, Simon Lukasik wrote:
> On 01/17/2013 02:13 PM, Mgr. Peter Hudec wrote:
>> Hi all,
>>
>> We are using spacewalk system for debian based systems.
>> We want to use the GPG verification of the packages/repository.
>>
>> 1) signing repository
>> Debian is using Release and Release.gpg files for this purpose. Is there
>> any way how to generate these files in spacewalk system ? The only
>> generated file is right now Packages.
>>
>> I haven;t found any way how to add this file to the repository manually or
>> generate it on the fly.
>>
>
> Hello Peter,
>
> It is true that Packages.gz metadata are not signed by Spacewalk server.
> However, I don't understand why that should be a concern.
>
> If your client is configured to use HTTPS, it authenticates the server
> based on the server certificate. The server then authenticates client
> based on its system id. The Package.gz is served only to the clients
> after mutual authentication. The same applies for each deb or rpm
> package served from Spacewalk to client.
>
> So, I fail to see problem that you are trying to solve with signed
> Package.gz.
>
More information about the Spacewalk-list
mailing list