Bug 1198723
Summary: | [RFE] GPG support for Debian packages /repos | ||
---|---|---|---|
Product: | [Community] Spacewalk | Reporter: | schuler.philipp |
Component: | Server | Assignee: | Tomáš Kašpárek <tkasparek> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Red Hat Satellite QA List <satqe-list> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 2.2 | CC: | bzed, Paul-Andre.Panon, robert.paschedag, tkasparek |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-01-15 07:59:24 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 737830, 1653216 | ||
Attachments: |
Description
schuler.philipp
2015-03-04 17:13:57 UTC
Created attachment 999611 [details]
apt-transport-spacewalk patch for signed repos
Created attachment 999612 [details]
apt-transport-spacewalk patch for signed repos
Created attachment 999613 [details]
spacewalk-server patch for signed repos
I have got it working with some patches to package apt-transport-spacewalk for the client side and a small patch to backend/server/rhnRepository.py for server side. Diffs are attached. This changes the way the sources.list is layouted, from deb spacewalk://spacewalk.xxx.lan channels: main precise-spacewalk-client precise-security precise-updates which is wrong and doesnt follow the debian repo format to deb spacewalk://spacewalk.xxx.lan precise repodata deb spacewalk://spacewalk.xxx.lan precise-spacewalk-client repodata deb spacewalk://spacewalk.xxx.lan precise-security repodata deb spacewalk://spacewalk.xxx.lan precise-updates repodata Whats left todo is add the generation of the Release and Release.gpg file to DebRepositoryWriter.java I have a small bash script for that as cron now. See attachement. Created attachment 999617 [details]
script for generating metafiles for repo signing
Some more info on how to put this together http://www.devops-blog.net/spacewalk/gpg-signing-apt-repository-in-spacewalk Created attachment 1301897 [details]
spacewalk-server patch for signed repos
Updated to work with Spacewalk backend 2.6.78
Created attachment 1301909 [details]
apt-transport-spacewalk patch for signed repos
Updates two files, pre_invoke.py and spacewalk in current Debian/Ubuntu Spacewalk client.
Created attachment 1301915 [details]
script for generating metafiles for repo signing
Added command to generate InRelease file used by Debian and Ubuntu 16.04+ apt-get client
Uploaded updated patches for Spacewalk 2.6 and Ubuntu 16.04 spacewalk.git(master): b3dd522b157449be85640625f363b25b0861503e I messed up in the spacewalk-server patch update. I saw an error and tried to fix it but didn't do it right. The default content-type is application-gzip. modules.yaml isn't a gzip file, and neither are the Release files. To set content-types correctly the code block should look like @@ -237,17 +235,13 @@ if file_name in ["repomd.xml", "comps.xml"]: content_type = "text/xml" + elif file_name in ["InRelease", "Release", "Release.gpg"]: + content_type = "text/plain" + elif file_name in ["modules.yaml"]: + content_type = "application/x-yaml" elif file_name not in ["primary.xml.gz", "other.xml.gz", "filelists.xml.gz", "updateinfo.xml.gz", "Packages.gz"]: log_debug(2, "Unknown repomd file requested: %s" % file_name) raise rhnFault(6) Although maybe "Release.gpg" should have "application/pgp-signature" as content-type Um, make that application/gpg-signature Move Spacewalk 2.9 bugs ON_QA. Spacewalk 2.9 has been released. https://github.com/spacewalkproject/spacewalk/wiki/ReleaseNotes29 |