[Spacewalk-list] Effective management of RPM GPG keys
Charles Richards
list at mass-distortion.net
Wed Feb 26 18:38:33 UTC 2014
Hi Stanislav,
> Is this the supposed behaviour? Am I missing something?
Yes, spacewalk/Yum will refuse to install packages or import the key without manual intervention (yum -y install xxxx or accepting the keys in yum)
I ran into the same issue previously. I added GPG keys to kickstart for new nodes, and then use Puppet to push out and install new/updated keys to existing nodes.
If you have the keys on an accessible web-server inside your environment, you could use Ansible to fetch and install the key(s) on one-or-many nodes as well.
- Charles
On Feb 26, 2014, at 4:49 AM, Stanislav Zidek <zidek at kajot.cz> wrote:
> Hi everybody,
>
> we are using Spacewalk 2.0 in our company and it is really amazing,
> thanks for your hard work.
>
> Recently, I was thinking about ways to centrally manage GPG keys which
> sign RPM packages. I am aware of the posibility to import them during
> the kickstart of newly installed machines, which I do, but since I
> occasionally add new subchannels with new repositories and subscribe
> existing clients to them, I would be glad for a way to manage it centrally.
>
> Specifying and using GPG files specified on per-channel basis seems to
> me as the most convenient way (since Spacewalk allows you to specify GPG
> key in channel properties). I searched this mailing list and found a
> relevant post that says: "for spacewalk channel yum will automatically
> import only keys from file:///etc/pki/rpm-gpg for security r[a]esons".
> According to my test, it is true (if I run "yum install -y <package>",
> it works on client without corresponding GPG key IF the key is specified
> in channel properties and it is located in /etc/pki/rpm-gpg on client
> machine.
>
> However, this procedure fails with message:
>
> Client execution returned "Error while executing packages action:
> Refusing to automatically import keys when running unattended. [[6]]"
> (code -1)
>
> if I try to install the package from web interface (System -> select ->
> Software -> Packages -> Install).
>
> Is this the supposed behaviour? Am I missing something?
>
> S.
>
> --
> Stanislav Židek
> Bezpečnostní konzultant/analytik
> Security Consultant/Analyst
>
> Technické oddělení on-line systémy
> Sekce - bezpečnost
> C.S.G. Software Group Limited
> organizační složka
> Kaštanová 64, 620 00 BRNO, CZ
> IČ:27741362 DIČ:CZ27741362
>
> Office : KAJOT Technology Center
> Kaštanová 64, 620 00 BRNO, CZ
> tlf: +420 515 535 134 fax: +420 515 535 134
> gsm: +420 724 951 702
>
> e-mail : zidek at kajot.cz
> www.kajot.com
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
More information about the Spacewalk-list
mailing list