Hello Chen,
> So this means that in order to do GPG check for the clients, I would need to > place the same GPG key on all registered clients on this channel at the same > location? (file:///etc/pki/rpm-gpg/) correct. Practically, this would only be necessary if the keys are not already imported into the rpm database (I import the keys on provisioning and never fill out the GPG key field). > How does Spacewalk verify its integrity when it syncs its repositories for > each channel? How does it ensure that the repo it syncs with have not been > compromised? It doesn't do it. And I don't think it needs to (or you don't want to when mixing packages from different sources). You will latest notice the compromise when installing the package as it would then fail. Best wishes, Stefan Von: "Wenkai Chen" <wenkai_c...@ensigninfosecurity.com> An: "spacewalk-list" <spacewalk-list@redhat.com> Gesendet: Mittwoch, 4. März 2020 09:50:03 Betreff: Re: [Spacewalk-list] GPG keys for CentOS channels in Spacewalk HI Stefan, Thanks. So this means that in order to do GPG check for the clients, I would need to place the same GPG key on all registered clients on this channel at the same location? (file:///etc/pki/rpm-gpg/) How does Spacewalk verify its integrity when it syncs its repositories for each channel? How does it ensure that the repo it syncs with have not been compromised? Chen Wenkai Infrastructure Security Engineer [ https://www.linkedin.com/company/ensign-infosecurity/ ] [ https://youtu.be/9J7FkhXpb-4 ] [ https://www.facebook.com/EnsignGlobal ] E: wenkai_c...@ensigninfosecurity.com A: 30A Kallang Place, Level 9 Right Wing, Singapore 339213 From: spacewalk-list-boun...@redhat.com <spacewalk-list-boun...@redhat.com> On Behalf Of Stefan Bluhm Sent: Wednesday, 4 March 2020 2:43 PM To: spacewalk-list <spacewalk-list@redhat.com> Subject: Re: [Spacewalk-list] GPG keys for CentOS channels in Spacewalk EXTERNAL: Caution this email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hello Chen, the field GPG key on the channel setup is information for the package installer on the CLIENT. It tells the package installer on the client where to find the GPG key for these packages. You have to enter it from the client point of view (in the same format the client would use it). So no URL. It must be a client local file location. Best wishes, Stefan Von: "Wenkai Chen" < [ mailto:wenkai_c...@ensigninfosecurity.com | wenkai_c...@ensigninfosecurity.com ] > An: "spacewalk-list" < [ mailto:spacewalk-list@redhat.com | spacewalk-list@redhat.com ] > Gesendet: Mittwoch, 4. März 2020 04:19:56 Betreff: [Spacewalk-list] GPG keys for CentOS channels in Spacewalk HI Spacewalk users, Sorry just would like to confirm. When we enter GPG key into a channel on Spacewalk, does it mean that whenever we do a repo-sync, it does a gpg-check on all the packages downloaded and synced? If there is no GPG key entered for a channel in Spacewalk, will there be a gpg-check? If clients are registered to this channel on Spacewalk, will there be a gpg-check? Thank you. Chen Wenkai Infrastructure Security Engineer [ https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fensign-infosecurity%2F&data=02%7C01%7Cwenkai_chen%40ensigninfosecurity.com%7Cbec92e4d7f924ce0609a08d7c0077ac5%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637189010679631245&sdata=gwUYQPIcYMJ0jgab4J585p5TEBny9%2BwdY2eJeD4N3iY%3D&reserved=0 ] [ https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fyoutu.be%2F9J7FkhXpb-4&data=02%7C01%7Cwenkai_chen%40ensigninfosecurity.com%7Cbec92e4d7f924ce0609a08d7c0077ac5%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637189010679641236&sdata=Z%2BRMDHv5ifakyKT2oJoatuw4btwFNg4GEvAJ%2BzBmA%2B8%3D&reserved=0 ] [ https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2FEnsignGlobal&data=02%7C01%7Cwenkai_chen%40ensigninfosecurity.com%7Cbec92e4d7f924ce0609a08d7c0077ac5%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637189010679641236&sdata=ldesps5s%2F2ASMZBP5Esel2ZUuziRX%2FQm4iCYoST2tjk%3D&reserved=0 ] E: [ mailto:wenkai_c...@ensigninfosecurity.com | wenkai_c...@ensigninfosecurity.com ] A: 30A Kallang Place, Level 9 Right Wing, Singapore 339213 CONFIDENTIALITY NOTICE: “This email is confidential and may also be privileged. If this email has been sent to you in error, please delete it immediately and notify us. Please do not copy, distribute or disseminate part or whole of this email if you are not the intended recipient or if you have not been authorized to do so. We reserve the right, to the extent and under circumstances permitted by applicable laws, to monitor, retain, intercept and block email messages to and from our systems. Thank you.” _______________________________________________ Spacewalk-list mailing list [ mailto:Spacewalk-list@redhat.com | Spacewalk-list@redhat.com ] [ https://www.redhat.com/mailman/listinfo/spacewalk-list | https://www.redhat.com/mailman/listinfo/spacewalk-list ] _______________________________________________ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
_______________________________________________ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list