[Spacewalk-list] channels and gpg key fields

Brian Long briandlong at gmail.com
Fri Mar 6 19:15:48 UTC 2020 

On your spacewalk server, visit /rhn/keys/CryptoKeysList.do and make
sure you add all GPG keys you want your systems to be able to
reference.  In your kickstart profile, visit
rhn/kickstart/KickstartCryptoKeysList.do (System Details, GPG&SSL).
Put a checkbox next to each GPG key you want installed during the
kickstart.  These keys will NOT be imported pre-kickstart so you will
be unable to kickstart-install packages from third-party repos unless
you add those keys during %pre.

We have snippets configured in our kickstart to import the GPG keys
required for all packages during the kickstart.  For example, I have a
snippet as follows for old RHEL 6 stuff:

wget -qO /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
http://$http_server/pub/RPM-GPG-KEY-EPEL-6 && \
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
if [ "$?" != 0 ]; then
    echo "Failed to import EPEL-7 key"
fi
wget -qO /etc/pki/rpm-gpg/RPM-GPG-KEY-spacewalk-2015
http://$http_server/pub/RPM-GPG-KEY-spacewalk-2015 && \
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-spacewalk-2015
if [ "$?" != 0 ]; then
    echo "Failed to import Spacewalk-2015 key"
fi
wget -qO /etc/pki/rpm-gpg/RPM-GPG-KEY-splunk
http://$http_server/pub/RPM-GPG-KEY-splunk && \
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-splunk
if [ "$?" != 0 ]; then
    echo "Failed to import Splunk key"
fi
wget -qO /etc/pki/rpm-gpg/RPM-GPG-KEY-vmware-tools
http://$http_server/pub/RPM-GPG-KEY-vmware-tools && \
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-vmware-tools
if [ "$?" != 0 ]; then
    echo "Failed to import VMware Tools key"
fi

I then reference $SNIPPET('spacewalk/1/import-gpg-keys-el6') as a
"Pre" script in my kickstart profile.  This allows me to install the
splunkforwarder and vmware-tools RPM as part of %packages instead of
later or post-kickstart.

/Brian/

On Fri, Mar 6, 2020 at 1:59 PM Stefan Bluhm <redhat.com at bluhm-de.com> wrote:
>
> Hello Laurence,
>
> we actually had the question here a few days ago.
>
> The field GPG key on the channel setup is information for the package installer on the CLIENT. It tells the package installer on the client where to find the GPG key for these packages. You have to enter it from the client point of view (in the same format the client would use it). So no URL. It must be a client local file location.
>
> 1. When you use Spacewalk to kickstart a server, you can configure the keys there and they get deployed on each new build.
> 2. When you provision otherwise, you have to place the non-default keys (i.e. not included in the OS) manually onto the server. How about adding the keys to a configuration channel and auto-deploy the channel contents on each new registration? You could then also use the channel to push new repos/keys to all clients, if required.
>
> Best wishes,
>
> Stefan
>
>
> ________________________________
> Von: "Laurence Rosen" <lrosen at interactions.com>
> An: "spacewalk-list" <spacewalk-list at redhat.com>
> Gesendet: Freitag, 6. März 2020 19:29:31
> Betreff: [Spacewalk-list] channels and gpg key fields
>
> Is there any doc that describes these fields other than how to fill them out?
> What are they for, as they don't seem to do anything and aren't used by yum to automatically add them to a client?
>
> To register new clients, my script has to do a wget the keys from /pub/gpg on my server and save in /etc/pki/rpm-gpg, but it seems like the channel should beagle to be utilized somehow.
>
> I have searched quite a bit looking for the answers on my own and thought I had seen and old spacewalk-list mention but cannot find again.
>
>
> *******************************************************************************
>
> This e-mail and any of its attachments may contain Interactions LLC proprietary information, which is privileged, confidential, or subject to copyright belonging to the Interactions LLC. This e-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this e-mail in error, please notify the sender immediately and permanently delete the original and any copy of this e-mail and any printout. Thank You.
>
> *******************************************************************************
>
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list

More information about the Spacewalk-list mailing list