[Spacewalk-list] Resign Packages

Milan Zázrivec mzazrivec at redhat.com
Thu Nov 14 12:55:20 UTC 2013 

On Thursday 14 November 2013 10:59:39 Frank Paulick wrote:
> this works for 1 or 2 packages.
> i would like to resign all packages already imported in my spacewalk
> server (~30000 Packages)
> at best without resyncing them from the external repositories
> as far as i know there is also no way to resign packages imported by
> using "spacewalk-repo-sync"
> 
> to summarize, how can i resign all packages for a local spacewalk server
> with my own key ?

Re-sign all rpms on your /var/satellite and somehow make Spacewalk 
automatically pick up (i.e. recompute checksums, re-generate repodata)
the newly signed content? I'm afraid that's not possible.

By re-signing the package, you effectively changed it (its checksum and
signature anyway). At this point, your Spacewalk won't do anything. And yes,
yum on the client side will report checksum mismatches, b/c that's what
happened, right? You wouldn't want someone to alter the package content
and expect your Spacewalk to act like it's okay, would you?

So if you trust the new (re-signed) rpms, you need to re-push / re-sync them
to your Spacewalk channels. This needs to be a deliberate action, same way
re-signing the rpms was a deliberate action.

This of course can be automated with API & rhnpush: you will simply have
a list of packages that you need to re-push, delete the old one (using API)
and re-push it into its channel(s) using rhnpush.

-MZ

> On 11/14/2013 10:51 AM, Milan Zázrivec wrote:
> > On Thursday 14 November 2013 10:48:26 Frank Paulick wrote:
> >> Hi,
> >> 
> >> is there a way/procedure to resign already in spacewalk imported rpm
> >> packages with a new key?
> >> 
> >> when doing a "rpm --resign" on an rpm package laying in /var/satellite ,
> >> the client can't download the package afterwards anymore.
> >> it quits with the message
> >> 
> >> error was [Errno -1] Package does not match intended download
> >> 
> >> the suggested "yum clean metadata" did not help
> >> 
> >> as far as i can see because of the resign the rpm package has changed
> >> and spacewalk doesn't yet know about it.
> >> if i'm right with this, how can i get spacewalk to update it's
> >> information on the package ?
> > 
> > Delete it & re-push the package again.
> > 
> > -MZ
> > 
> > _______________________________________________
> > Spacewalk-list mailing list
> > Spacewalk-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/spacewalk-list

More information about the Spacewalk-list mailing list