>The really irritating part of this is that once you've done a kickstart >(which if you look at the raw kickstart file you can see importing the >keys by pulling down files and rpm --import'ing them) you're on your own >if you ever want to add other RPM's signed by other keys - Spacewalk has >no way of managing what keys are installed on clients or adding/removing >them after a kickstart is complete.
>I assume this is partly down to the poor (imho) way RPM manages keys, >and the fact that the yum-rhn-plugin won't allow you to install a >package unless its signed and RPM has the key imported, so you can't >easily have a custom keys rpm that gets updated and deployed for you >when you add new keys. >Personally I deal with this by not only loading the keys into Spacewalk >so they get deployed with the kickstart, but adding them to >/var/www/html/pub/ so I can rpm --import them directly from the server >(although rpm uses wget which doesn't trust the Spacewalk CA cert so you >have to use http:// !) >Musing on this, I wonder if the answer is to get Spacewalk maintain an >rpm within which all of your keys are stored. Of course you still have >the problem of what keys to use to sign that rpm, and how to manage those... >Mark. Mark, this is a really good topic and I can see exactly what you're saying from your detailed explination. I best way I think think to manage this is have a small child channel called key-repo that is included in every kickstart build so it's subscribed to with every build and then simpley have a $version-key-set.noarch.rpm which matches your distro RHEL/Centos 5/6 etc and when you want to add a new repo to existing servers you deploy that rpm with what ever keys you want into the systems (as it's already a subscribed channel) and then use the spacewalk remote commands function to subscribe the target systems to the new repo/channel. Quite scrappy but also a simple process. Matt ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ _______________________________________________ Spacewalk-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/spacewalk-list
