-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 19/05/2011 19:06, Matthew Darcy wrote: > Mark, > > Fantastic advice, > > I had the keys on the machine but I hadn't imported them into > spacewalk or associated them with the build profile, I did this and > straight away it's come to life, which as soon as you've said it > makes sense, however it also puts contradiction to a conversation in > the #spacewalk irc channel last night that the kickstart process > didn't care about the keys, clearly it does and that’s really useful > to know.
The really irritating part of this is that once you've done a kickstart (which if you look at the raw kickstart file you can see importing the keys by pulling down files and rpm --import'ing them) you're on your own if you ever want to add other RPM's signed by other keys - Spacewalk has no way of managing what keys are installed on clients or adding/removing them after a kickstart is complete. I assume this is partly down to the poor (imho) way RPM manages keys, and the fact that the yum-rhn-plugin won't allow you to install a package unless its signed and RPM has the key imported, so you can't easily have a custom keys rpm that gets updated and deployed for you when you add new keys. Personally I deal with this by not only loading the keys into Spacewalk so they get deployed with the kickstart, but adding them to /var/www/html/pub/ so I can rpm --import them directly from the server (although rpm uses wget which doesn't trust the Spacewalk CA cert so you have to use http:// !) Musing on this, I wonder if the answer is to get Spacewalk maintain an rpm within which all of your keys are stored. Of course you still have the problem of what keys to use to sign that rpm, and how to manage those... Mark - -- Mark Watts, BSc RHCE http://www.linux-corner.info/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJN1WV7AAoJEA67+nBFe32m8N0H/2L1yHtwoGbIVUgP3kPkZazM fmOWghlMjZJ5KS24tKeqvx85viRpRcEnI+XbCfkjH+jQlA9CJCBmsICS3o9qvTJg RhPyIS1dXqwUeEy3T1cer4uJteb35Xdg92ltjQue693jx7GiBCFHozzlq50ihK2/ XeeRu2hdPvsAMeaBGYs+gTL8aHX1S59YVRYH/GkoJauiALuZwggdGfoN/fwByxUa GVGZjkFGykYUFaJ2r1spssXYb22dLU0Y/0KBDb8ZI3SZmy8/meb4kuw+8tqXwNOx gc6D+jpYJBEWDuOGIbIpBfVXcvejoTdKWmSpV398QjRxSgI/2YByU6Wlrxj2ugs= =0X2X -----END PGP SIGNATURE----- _______________________________________________ Spacewalk-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/spacewalk-list
