Hi Frank, % are the any plans to extend the spacewalk-repo-sync functionality % with resigning incoming packages with supplied own GPG Key ?
No, it isn't on our roadmap. % on the other hand, does no one use own Keys for all files in spacewalk ? The most common usage is to sync already signed packages and verify them using original vendor's key. And for the local packages to sign them before uploading to spacewalk. % Regards % Frank % % % >>this works for 1 or 2 packages. % >>i would like to resign all packages already imported in my spacewalk % >>server (~30000 Packages) % >>at best without resyncing them from the external repositories % >>as far as i know there is also no way to resign packages imported by % >>using "spacewalk-repo-sync" % >> % >>to summarize, how can i resign all packages for a local spacewalk server % >>with my own key ? % >Re-sign all rpms on your /var/satellite and somehow make Spacewalk % >automatically pick up (i.e. recompute checksums, re-generate repodata) % >the newly signed content? I'm afraid that's not possible. % > % >By re-signing the package, you effectively changed it (its checksum and % >signature anyway). At this point, your Spacewalk won't do anything. And yes, % >yum on the client side will report checksum mismatches, b/c that's what % >happened, right? You wouldn't want someone to alter the package content % >and expect your Spacewalk to act like it's okay, would you? % > % >So if you trust the new (re-signed) rpms, you need to re-push / re-sync them % >to your Spacewalk channels. This needs to be a deliberate action, same way % >re-signing the rpms was a deliberate action. % > % >This of course can be automated with API & rhnpush: you will simply have % >a list of packages that you need to re-push, delete the old one (using API) % >and re-push it into its channel(s) using rhnpush. % > % >-MZ % > % >>>>Hi, % >>>> % >>>>is there a way/procedure to resign already in spacewalk imported rpm % >>>>packages with a new key? % >>>> % >>>>when doing a "rpm --resign" on an rpm package laying in /var/satellite , % >>>>the client can't download the package afterwards anymore. % >>>>it quits with the message % >>>> % >>>>error was [Errno -1] Package does not match intended download % >>>> % >>>>the suggested "yum clean metadata" did not help % >>>> % >>>>as far as i can see because of the resign the rpm package has changed % >>>>and spacewalk doesn't yet know about it. % >>>>if i'm right with this, how can i get spacewalk to update it's % >>>>information on the package ? % >>>Delete it & re-push the package again. % >>> % >>>-MZ % % -- % beste Grüße, % Frank Paulick -- Michael Mráka Satellite Engineering, Red Hat _______________________________________________ Spacewalk-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/spacewalk-list
