HI Stefan,
If the GPG check is done on the client side for the Spacewalk channel, does
this mean that for each package downloaded from Spacewalk onto the Client, it
is being signed by CentOS and that the client will use the GPG public key on
its local file location to verify its integrity?
It doesn't do it. And I don't think it needs to (or you don't want to when
mixing packages from different sources). You will latest notice the compromise
when installing the package as it would then fail.
* What if GPG check is not enforced? What if the repo URL gets compromised?
[A close up of a sign Description generated with very high confidence]
Chen Wenkai
Infrastructure Security Engineer
[A picture containing building Description generated with high
confidence] <https://www.linkedin.com/company/ensign-infosecurity/> [A
picture containing tableware Description generated with high confidence]
<https://youtu.be/9J7FkhXpb-4> [A close up of a sign Description
generated with high confidence] <https://www.facebook.com/EnsignGlobal>
E: [email protected]
A: 30A Kallang Place, Level 9 Right Wing, Singapore 339213
From: [email protected] <[email protected]> On
Behalf Of Stefan Bluhm
Sent: Wednesday, 4 March 2020 4:59 PM
To: spacewalk-list <[email protected]>
Subject: Re: [Spacewalk-list] GPG keys for CentOS channels in Spacewalk
EXTERNAL: Caution this email originated from outside of the organization. Do
not click links or open attachments unless you recognize the sender and know
the content is safe.
Hello Chen,
> So this means that in order to do GPG check for the clients, I would need to
> place the same GPG key on all registered clients on this channel at the same
> location? (file:///etc/pki/rpm-gpg/)
correct. Practically, this would only be necessary if the keys are not already
imported into the rpm database (I import the keys on provisioning and never
fill out the GPG key field).
> How does Spacewalk verify its integrity when it syncs its repositories for
> each channel? How does it ensure that the repo it syncs with have not been
> compromised?
It doesn't do it. And I don't think it needs to (or you don't want to when
mixing packages from different sources). You will latest notice the compromise
when installing the package as it would then fail.
Best wishes,
Stefan
________________________________
Von: "Wenkai Chen"
<[email protected]<mailto:[email protected]>>
An: "spacewalk-list"
<[email protected]<mailto:[email protected]>>
Gesendet: Mittwoch, 4. März 2020 09:50:03
Betreff: Re: [Spacewalk-list] GPG keys for CentOS channels in Spacewalk
HI Stefan,
Thanks.
So this means that in order to do GPG check for the clients, I would need to
place the same GPG key on all registered clients on this channel at the same
location? (file:///etc/pki/rpm-gpg/)
How does Spacewalk verify its integrity when it syncs its repositories for each
channel? How does it ensure that the repo it syncs with have not been
compromised?
[A close up of a sign Description generated with very high confidence]
Chen Wenkai
Infrastructure Security Engineer
[A picture containing building Description generated with high
confidence]
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fensign-infosecurity%2F&data=02%7C01%7Cwenkai_chen%40ensigninfosecurity.com%7C7c8e9f9d69304a044f8408d7c01a69cb%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637189092019889619&sdata=aFsXTRJ%2Bpfw8DOyMBY7QJRcMLZb7WUjkRQ7yPpJPdTw%3D&reserved=0>
[A picture containing tableware Description generated with high
confidence]
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fyoutu.be%2F9J7FkhXpb-4&data=02%7C01%7Cwenkai_chen%40ensigninfosecurity.com%7C7c8e9f9d69304a044f8408d7c01a69cb%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637189092019899615&sdata=mP%2Bz7DL6GSx7A57PkT23GrQE0bXw8nsaZTIAkVlWlZM%3D&reserved=0>
[A close up of a sign Description generated with high confidence]
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2FEnsignGlobal&data=02%7C01%7Cwenkai_chen%40ensigninfosecurity.com%7C7c8e9f9d69304a044f8408d7c01a69cb%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637189092019899615&sdata=%2Fp7YsXB3anC7T%2BWm25A5r63JzMW0v2kuBrkxdbUeBIQ%3D&reserved=0>
E:
[email protected]<mailto:[email protected]>
A: 30A Kallang Place, Level 9 Right Wing, Singapore 339213
From:
[email protected]<mailto:[email protected]>
<[email protected]<mailto:[email protected]>>
On Behalf Of Stefan Bluhm
Sent: Wednesday, 4 March 2020 2:43 PM
To: spacewalk-list <[email protected]<mailto:[email protected]>>
Subject: Re: [Spacewalk-list] GPG keys for CentOS channels in Spacewalk
EXTERNAL: Caution this email originated from outside of the organization. Do
not click links or open attachments unless you recognize the sender and know
the content is safe.
Hello Chen,
the field GPG key on the channel setup is information for the package installer
on the CLIENT.
It tells the package installer on the client where to find the GPG key for
these packages. You have to enter it from the client point of view (in the same
format the client would use it). So no URL. It must be a client local file
location.
Best wishes,
Stefan
________________________________
Von: "Wenkai Chen"
<[email protected]<mailto:[email protected]>>
An: "spacewalk-list"
<[email protected]<mailto:[email protected]>>
Gesendet: Mittwoch, 4. März 2020 04:19:56
Betreff: [Spacewalk-list] GPG keys for CentOS channels in Spacewalk
HI Spacewalk users,
Sorry just would like to confirm.
When we enter GPG key into a channel on Spacewalk, does it mean that whenever
we do a repo-sync, it does a gpg-check on all the packages downloaded and
synced?
If there is no GPG key entered for a channel in Spacewalk, will there be a
gpg-check?
If clients are registered to this channel on Spacewalk, will there be a
gpg-check?
Thank you.
[A close up of a sign Description generated with very high confidence]
Chen Wenkai
Infrastructure Security Engineer
[A picture containing building Description generated with high
confidence]
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fensign-infosecurity%2F&data=02%7C01%7Cwenkai_chen%40ensigninfosecurity.com%7C7c8e9f9d69304a044f8408d7c01a69cb%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637189092019909613&sdata=7CNuVhF8mnNU%2FBhb7r%2BdjDYafImyccEIxMOBzWybhW4%3D&reserved=0>
[A picture containing tableware Description generated with high
confidence]
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fyoutu.be%2F9J7FkhXpb-4&data=02%7C01%7Cwenkai_chen%40ensigninfosecurity.com%7C7c8e9f9d69304a044f8408d7c01a69cb%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637189092019919605&sdata=oGeHNyBADlxwNrMmLK1v3%2BAlyjNnZfbv4pWeYAbRRS4%3D&reserved=0>
[A close up of a sign Description generated with high confidence]
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2FEnsignGlobal&data=02%7C01%7Cwenkai_chen%40ensigninfosecurity.com%7C7c8e9f9d69304a044f8408d7c01a69cb%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637189092019919605&sdata=U6HMQjz2QzGiWh6bLAEMNGwbSmAkvMaDtPtaRBWLzdE%3D&reserved=0>
E:
[email protected]<mailto:[email protected]>
A: 30A Kallang Place, Level 9 Right Wing, Singapore 339213
________________________________
CONFIDENTIALITY NOTICE: “This email is confidential and may also be privileged.
If this email has been sent to you in error, please delete it immediately and
notify us. Please do not copy, distribute or disseminate part or whole of this
email if you are not the intended recipient or if you have not been authorized
to do so. We reserve the right, to the extent and under circumstances permitted
by applicable laws, to monitor, retain, intercept and block email messages to
and from our systems. Thank you.”
_______________________________________________
Spacewalk-list mailing list
[email protected]<mailto:[email protected]>
https://www.redhat.com/mailman/listinfo/spacewalk-list<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Fmailman%2Flistinfo%2Fspacewalk-list&data=02%7C01%7Cwenkai_chen%40ensigninfosecurity.com%7C7c8e9f9d69304a044f8408d7c01a69cb%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637189092019929604&sdata=qlPPYSDhEFy7jaeA%2BiVTsp5RIAhimONu1bjsT4AxHMk%3D&reserved=0>
_______________________________________________
Spacewalk-list mailing list
[email protected]<mailto:[email protected]>
https://www.redhat.com/mailman/listinfo/spacewalk-list
_______________________________________________
Spacewalk-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/spacewalk-list
