Hello Simon,
we need to implement the secure way of installing the packages.
All packages in the spacewalk repo must be trusted. we tryied to satup
the SecureApt and therefor i was looging for Packages.gz, Release and
Release.gpg.
It should not be big deal to implement this into spacewalk server and
client part.
After some tests we choose the second way, to sign the debs. It's much
more secure and it fullfill our needs without touching spacewalk code.
Righ now there are 2 signs needed /origin, maintener/ to install the DEB
from any repository. So noboby could fake the DEB and put it into repo.
SecureApt did not solved this problem ..
best regards
Peter
On 1/21/13 1:04 PM, Simon Lukasik wrote:
On 01/17/2013 02:13 PM, Mgr. Peter Hudec wrote:
Hi all,
We are using spacewalk system for debian based systems.
We want to use the GPG verification of the packages/repository.
1) signing repository
Debian is using Release and Release.gpg files for this purpose. Is there
any way how to generate these files in spacewalk system ? The only
generated file is right now Packages.
I haven;t found any way how to add this file to the repository manually or
generate it on the fly.
Hello Peter,
It is true that Packages.gz metadata are not signed by Spacewalk server.
However, I don't understand why that should be a concern.
If your client is configured to use HTTPS, it authenticates the server
based on the server certificate. The server then authenticates client
based on its system id. The Package.gz is served only to the clients
after mutual authentication. The same applies for each deb or rpm
package served from Spacewalk to client.
So, I fail to see problem that you are trying to solve with signed
Package.gz.
_______________________________________________
Spacewalk-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/spacewalk-list
