[Spacewalk-list] Effective management of RPM GPG keys

[Stanislav Zidek]

Hi everybody,

we are using Spacewalk 2.0 in our company and it is really amazing,
thanks for your hard work.

Recently, I was thinking about ways to centrally manage GPG keys which
sign RPM packages. I am aware of the posibility to import them during
the kickstart of newly installed machines, which I do, but since I
occasionally add new subchannels with new repositories and subscribe
existing clients to them, I would be glad for a way to manage it centrally.

Specifying and using GPG files specified on per-channel basis seems to
me as the most convenient way (since Spacewalk allows you to specify GPG
key in channel properties). I searched this mailing list and found a
relevant post that says: "for spacewalk channel yum will automatically
import only keys from file:///etc/pki/rpm-gpg for security r[a]esons".
According to my test, it is true (if I run "yum install -y <package>",
it works on client without corresponding GPG key IF the key is specified
in channel properties and it is located in /etc/pki/rpm-gpg on client
machine.

However, this procedure fails with message:

Client execution returned "Error while executing packages action:
Refusing to automatically import keys when running unattended. [[6]]"
(code -1)

if I try to install the package from web interface (System -> select ->
Software -> Packages -> Install).

Is this the supposed behaviour? Am I missing something?

S.

-- 
Stanislav Židek
Bezpečnostní konzultant/analytik
Security Consultant/Analyst

Technické oddělení on-line systémy
Sekce - bezpečnost
C.S.G. Software Group Limited
organizační složka
Kaštanová 64, 620 00 BRNO, CZ
IČ:27741362 DIČ:CZ27741362

Office : KAJOT Technology Center
Kaštanová 64, 620 00 BRNO, CZ
tlf: +420 515 535 134 fax: +420 515 535 134
gsm: +420 724 951 702

e-mail : zidek at kajot.cz
www.kajot.com