[Spacewalk-list] Resign Packages

Michael Mraka michael.mraka at redhat.com
Fri Nov 15 13:28:59 UTC 2013 

Hi Frank,

% are the any plans to extend the spacewalk-repo-sync functionality
% with resigning incoming packages with supplied own GPG Key ?

No, it isn't on our roadmap.
 
% on the other hand, does no one use own Keys for all files in spacewalk ?

The most common usage is to sync already signed packages and verify them
using original vendor's key. And for the local packages to sign them
before uploading to spacewalk.

% Regards
% Frank
% 
% 
% >>this works for 1 or 2 packages.
% >>i would like to resign all packages already imported in my spacewalk
% >>server (~30000 Packages)
% >>at best without resyncing them from the external repositories
% >>as far as i know there is also no way to resign packages imported by
% >>using "spacewalk-repo-sync"
% >>
% >>to summarize, how can i resign all packages for a local spacewalk server
% >>with my own key ?
% >Re-sign all rpms on your /var/satellite and somehow make Spacewalk
% >automatically pick up (i.e. recompute checksums, re-generate repodata)
% >the newly signed content? I'm afraid that's not possible.
% >
% >By re-signing the package, you effectively changed it (its checksum and
% >signature anyway). At this point, your Spacewalk won't do anything. And yes,
% >yum on the client side will report checksum mismatches, b/c that's what
% >happened, right? You wouldn't want someone to alter the package content
% >and expect your Spacewalk to act like it's okay, would you?
% >
% >So if you trust the new (re-signed) rpms, you need to re-push / re-sync them
% >to your Spacewalk channels. This needs to be a deliberate action, same way
% >re-signing the rpms was a deliberate action.
% >
% >This of course can be automated with API & rhnpush: you will simply have
% >a list of packages that you need to re-push, delete the old one (using API)
% >and re-push it into its channel(s) using rhnpush.
% >
% >-MZ
% >
% >>>>Hi,
% >>>>
% >>>>is there a way/procedure to resign already in spacewalk imported rpm
% >>>>packages with a new key?
% >>>>
% >>>>when doing a "rpm --resign" on an rpm package laying in /var/satellite ,
% >>>>the client can't download the package afterwards anymore.
% >>>>it quits with the message
% >>>>
% >>>>error was [Errno -1] Package does not match intended download
% >>>>
% >>>>the suggested "yum clean metadata" did not help
% >>>>
% >>>>as far as i can see because of the resign the rpm package has changed
% >>>>and spacewalk doesn't yet know about it.
% >>>>if i'm right with this, how can i get spacewalk to update it's
% >>>>information on the package ?
% >>>Delete it & re-push the package again.
% >>>
% >>>-MZ
% 
% -- 
% beste Grüße,
% Frank Paulick

--
Michael Mráka
Satellite Engineering, Red Hat

More information about the Spacewalk-list mailing list