[Spacewalk-list] Spacewalk/RPM Key Management: [Was: spacewalk 1.3 - python-ethtool package being a problem within kickstart.]

Mark Watts m.watts at linux-corner.info
Thu May 19 18:46:19 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 19/05/2011 19:06, Matthew Darcy wrote:
> Mark,
> 
> Fantastic advice,
> 
> I had the keys on the machine but I hadn't imported them into
> spacewalk or associated them with the build profile, I did this and
> straight away it's come to life, which as soon as you've said it
> makes sense, however it also puts contradiction to a conversation in
> the #spacewalk irc channel last night that the kickstart process
> didn't care about the keys, clearly it does and that’s really useful
> to know.

The really irritating part of this is that once you've done a kickstart
(which if you look at the raw kickstart file you can see importing the
keys by pulling down files and rpm --import'ing them) you're on your own
if you ever want to add other RPM's signed by other keys - Spacewalk has
no way of managing what keys are installed on clients or adding/removing
them after a kickstart is complete.

I assume this is partly down to the poor (imho) way RPM manages keys,
and the fact that the yum-rhn-plugin won't allow you to install a
package unless its signed and RPM has the key imported, so you can't
easily have a custom keys rpm that gets updated and deployed for you
when you add new keys.

Personally I deal with this by not only loading the keys into Spacewalk
so they get deployed with the kickstart, but adding them to
/var/www/html/pub/ so I can rpm --import them directly from the server
(although rpm uses wget which doesn't trust the Spacewalk CA cert so you
have to use http:// !)

Musing on this, I wonder if the answer is to get Spacewalk maintain an
rpm within which all of your keys are stored. Of course you still have
the problem of what keys to use to sign that rpm, and how to manage those...

Mark

- -- 
Mark Watts, BSc RHCE
http://www.linux-corner.info/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJN1WV7AAoJEA67+nBFe32m8N0H/2L1yHtwoGbIVUgP3kPkZazM
fmOWghlMjZJ5KS24tKeqvx85viRpRcEnI+XbCfkjH+jQlA9CJCBmsICS3o9qvTJg
RhPyIS1dXqwUeEy3T1cer4uJteb35Xdg92ltjQue693jx7GiBCFHozzlq50ihK2/
XeeRu2hdPvsAMeaBGYs+gTL8aHX1S59YVRYH/GkoJauiALuZwggdGfoN/fwByxUa
GVGZjkFGykYUFaJ2r1spssXYb22dLU0Y/0KBDb8ZI3SZmy8/meb4kuw+8tqXwNOx
gc6D+jpYJBEWDuOGIbIpBfVXcvejoTdKWmSpV398QjRxSgI/2YByU6Wlrxj2ugs=
=0X2X
-----END PGP SIGNATURE-----

More information about the Spacewalk-list mailing list