On Thu, 19 May 2011, Mark Watts wrote:
Personally I deal with this by not only loading the keys into Spacewalk so they get deployed with the kickstart, but adding them to /var/www/html/pub/ so I can rpm --import them directly from the server (although rpm uses wget which doesn't trust the Spacewalk CA cert so you have to use http:// !)
cp /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT /etc/pki/tls/certs cacertdir_rehash /etc/pki/tls/certs/ Now wget will be happy. Curl seems to not bother going through that directory and just looks at the ca-bundle.crt, so just cat it to the end of that and curl's happy too.
Musing on this, I wonder if the answer is to get Spacewalk maintain an rpm within which all of your keys are stored. Of course you still have the problem of what keys to use to sign that rpm, and how to manage those...
Install in the first place with at least your own GPG key included. Then you can have a package with triggers to install whatever keys you like, that you could update on the systems. So yes, I don't see why that idea can't work. Surely everybody already has at least one GPG key of their own? Personally I stick with just a CentOS key and my own key. Any package that gets imported from elsewhere gets resigned before it gets imported. But I can see why others would want multiple keys. jh _______________________________________________ Spacewalk-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/spacewalk-list
