[Spacewalk-list] using api to determine package signing key
Maria
maria at purplecoffee.com
Mon Jun 10 14:58:03 UTC 2013
On Jun 6, 2013, at 8:28 AM, Jan Hutař <jhutar at redhat.com> wrote:
> On Thu, 6 Jun 2013 13:40:45 +0200 Jan Hutař <jhutar at redhat.com>
> wrote:
>
>> On Mon, 3 Jun 2013 17:04:48 -0400 Maria
>> <maria at purplecoffee.com> wrote:
>>
>>> Hi,
>>>
>>> I have written an api script to look for packages in channels
>>> where they do not belong, using various different tests. One
>>> thing that would be useful would be to compare the channel
>>> gpg key with the key used to sign the package. However, I
>>> can't see how to use the api to get the information of what
>>> key was used to sign a package. Can someone point me in the
>>> right direction for that?
>>>
>>> Thanks,
>>> Maria
>>
>> Hello,
>> yes, this is a known lack of functionality. You might report it
>> as a RFE bugzilla.
>
> Sorry, this was meant for another tread.
>
> Is packages.getDetails(key, package_id) -> vendor what you want?
>
> Also packages.provider.associateKey(...) might be needed.
>
> But maybe there is a easier solution?
>
> Regards,
> Jan
packages.getDetails(key, package_id) -> vendor isn't reliable for this test. Sometimes it does point to the same provider as the key used to sign the package, but sometimes it points to someone else (for e.g. Fuijitsu). It creates false positives, and it also misses situations where the signing key is different but has the same provider.
When I use the web interface, such as /rhn/channels/ChannelPackages.do, I see pages where the key used to sign the package is used to determine the content provider. I don't see how to do that with the api. Additionally, I want the key itself, not the provider that owns it.
Thanks,
Maria
More information about the Spacewalk-list
mailing list