[Spacewalk-list] GPG key hosted on the spacewalk server via HTTP fails
Amedeo Salvati
amedeo at oscert.net
Mon Sep 8 12:20:36 UTC 2014
you can write a bootstrap script that import the key / keys before registering to spacewalk server:
rpm --import http://SPACEWALK.FQDN.COM/pub/KEY1
...
rpm --import http://SPACEWALK.FQDN.COM/pub/KEYX
best regards
a
Da: spacewalk-list-bounces at redhat.com
A: spacewalk-list at redhat.com
Cc:
Data: Mon, 8 Sep 2014 13:49:29 +0200
Oggetto: Re: [Spacewalk-list] GPG key hosted on the spacewalk server via HTTP fails
> Nicolas Michel wrote:
> % Hi,
> %
> % I'm starting to try spacewalk (21). I configured the epel repository. When
> % trying to install some packages on the client OS configured with the
> % spacewalk repositories, it fails saying it can't find the GPG key:
> % warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID
> % 0608b895: NOKEY
> %
> %
> % Public key for jabberpy-0.5-0.21.el6.noarch.rpm is not installed
> %
> % I found the GPG here :
> % http://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-6 and copied it on my
> % spacewalk server in /var/www/html/pub. So the URL is
> % https://my_spacewalk_server/pub/RPM-GPG-KEY-EPEL-6 (I can see it with my
> % browser so it is reachable).
> %
> % Then on spacewalk I setup the:
> % - GPG key URL:*https://*my_spacewalk_server*/pub/RPM-GPG-KEY-EPEL-6*
> % - GPG key ID: *0608B895*
> % - GPG key Fingerprint: *8C3B E96A F230 9184 DA5C 0DAE 3B49 DF2A 0608 B895*
> %
> % When trying to re-install the package, it still fails.
> %
> % BUT, if I copy the key to the client serveur in
> % /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
> % AND setup the spacewalk channel "GPG key URL" to
> % file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
> % THEN it works:
> %
> % warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID
> % 0608b895: NOKEY
> % Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
> % Importing GPG key 0x0608B895:
> % Userid: "EPEL (6) "
> % From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
> % Is this ok [y/N]: n
> %
> % => why? Can't we import gpg key from HTTP? Will I need to copy the GPG key
> % on each client?
>
> For security reasons - you can't really trust signature if
> you download both rpm and key from the same source.
> https://www.redhat.com/archives/spacewalk-list/2012-January/msg00193.html
>
>
> Regards,
>
> --
> Michael Mráka
> Satellite Engineering, Red Hat
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20140908/a186e232/attachment.htm>
More information about the Spacewalk-list
mailing list