[Spacewalk-list] GPG keys distribution from Spacewalk

Waldirio Manhães Pinheiro waldirio at gmail.com
Thu Jul 30 18:23:09 UTC 2020 

Hello Jackson

You can proceed as below

To obtain all the features from clients, it is necessary to execute some
routines on the clients after register in Spacewalk as follows:

   - GPG keys of custom channel/the 3rd channel. Let’s talk again about the
   item 2.3, where we talked about child channels. They have a signature GPG
   file package - well, as we described, we shared it on the server (
   http://spacewalk.network.biz/pub/GPG/) that would be available to any
   client on the network. Now we will use a routine to import those keys and
   so we can install available packages via Spacewalk.


[root at node1 ~]# for b in $(curl http://spacewalk.network.biz/pub/GPG/|cut
-d”=” -f5|cut -d”\”” -f2|grep -v -E ‘(^$|^.*<|^.*/|^.*;.*)’); do cd
/etc/pki/rpm-gpg;wget -nc http://spacewalk.network.biz/pub/GPG/$b;rpm
--import /etc/pki/rpm-gpg/$b; done 2>/dev/null

Take care here! The previous command can be placed at the end of
bootstrap.sh file, which is located in Spacewalk server. Then, every time a
machine is registered via bootstrap.sh it will automatically receive the
keys of all channels.

If the installation was performed via Kickstart, the keys are automatically
imported, so the execution of the previous command is not necessary. To
check which keys are installed on the registered server, run the next
command:

[root at node1 ~]# rpm -qa | grep gpg-pubkey
gpg-pubkey-863a853d-4f55f54d
gpg-pubkey-c105b9de-4e0fd3a3
gpg-pubkey-c431416d-3db4c821
gpg-pubkey-0608b895-4bd22942
[root at node1 ~]#


You can find this trick and much more here [1]

Hope this helps.
______________
Best
Waldirio
Skype: waldirio
Site: www.waldirio.com.br
LinkedIn: https://www.linkedin.com/in/waldirio

[1].
https://www.amazon.com/Spacewalk-Satellite-Project-solution-management-ebook/dp/B071DDQ4W2

On Fri, Jul 24, 2020 at 12:47 PM Brian Long <briandlong at gmail.com> wrote:

> My workflow before using Ansible was typically to download the vendor RPM
> or release RPM that contains the .repo file and GPG key.  I then place
> every key I might ever want on my systems in /var/www/html/pub on my
> spacewalk server.  I then have a kickstart snippet script defined.  The
> script looks something like this:
>
> wget -qO /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 http://$http_server/pub/RPM-GPG-KEY-EPEL-6
> && \
> rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
> if [ "$?" != 0 ]; then
>     echo "Failed to import EPEL-7 key"
> fi
> wget -qO /etc/pki/rpm-gpg/RPM-GPG-KEY-spacewalk-2015 http://$http_server/pub/RPM-GPG-KEY-spacewalk-2015
> && \
> rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-spacewalk-2015
> if [ "$?" != 0 ]; then
>     echo "Failed to import Spacewalk-2015 key"
> fi
> wget -qO /etc/pki/rpm-gpg/RPM-GPG-KEY-splunk http://$http_server/pub/RPM-GPG-KEY-splunk
> && \
> rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-splunk
> if [ "$?" != 0 ]; then
>     echo "Failed to import Splunk key"
> fi
> wget -qO /etc/pki/rpm-gpg/RPM-GPG-KEY-vmware-tools http://$http_server/pub/RPM-GPG-KEY-vmware-tools
> && \
> rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-vmware-tools
> if [ "$?" != 0 ]; then
>     echo "Failed to import VMware Tools key"
> fi
>
> I reference this snippet as a Pre and Post script in my kickstart
> profile.  This allows me to install some of the vendor RPMs (e.g.
> splunkforwarder) during the initial kickstart and it also lets me install
> others only when needed.  If you only need to install post-kickstart, you
> do not need to import the keys during %pre.
>
> /Brian/
>
> On Fri, Jul 24, 2020 at 2:17 PM Jackson K. Bonvissuto <
> jbonvissuto at aplura.com> wrote:
>
>> Hello all,
>>
>> I am trying to find a solution for populating GPG keys on client systems
>> through Spacewalk, so that every time a system subscribes to a new channel
>> and I do not have to wget the key manually. Are there any systems in
>> spacewalk to auto distribute the channel's key when a client subscribes to
>> it, or an alternate recommended solution.
>>
>> Example of the issue when installing a package from a new channel:
>>
>> yum install osquery-4.4.0-1.x86_64
>>
>> Is this ok [y/d/N]: y
>>
>> #error
>>
>> Downloading packages:
>>
>> warning: /var/cache/yum/x86_64/7/osquery-x86_64/packages/osquery-4.4.0-1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID c9d8b80b: NOKEY
>>
>> Retrieving key from file:///etc/pki/rpm-gpg/OSQUERY-S3-RPM-REPO-GPGKEY
>>
>> GPG key retrieval failed: [Errno 14] curl#37 - "Couldn't open file /etc/pki/rpm-gpg/OSQUERY-S3-RPM-REPO-GPGKEY"
>>
>> Currently solved by manually placing the key in “/etc/pki/rpm-gpg on the
>> client system.
>>
>> Thanks,
>> Jackson
>>
>>
>>
>>
>> _______________________________________________
>> Spacewalk-list mailing list
>> Spacewalk-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20200730/8088cd19/attachment.htm>

More information about the Spacewalk-list mailing list