Description of problem: repomd should generate Release and Release.gpg files for debian repos in here after https://github.com/spacewalkproject/spacewalk/blob/master/java/code/src/com/redhat/rhn/taskomatic/task/repomd/DebRepositoryWriter.java#L90 That way the packages can be authenticated by APT. Its quite simple. Would do it myself but dont know how to build the Spacewalk project :/ Reference: https://wiki.debian.org/SecureApt#Secure_apt_groundwork:_checksums
Created attachment 999611 [details] apt-transport-spacewalk patch for signed repos
Created attachment 999612 [details] apt-transport-spacewalk patch for signed repos
Created attachment 999613 [details] spacewalk-server patch for signed repos
I have got it working with some patches to package apt-transport-spacewalk for the client side and a small patch to backend/server/rhnRepository.py for server side. Diffs are attached. This changes the way the sources.list is layouted, from deb spacewalk://spacewalk.xxx.lan channels: main precise-spacewalk-client precise-security precise-updates which is wrong and doesnt follow the debian repo format to deb spacewalk://spacewalk.xxx.lan precise repodata deb spacewalk://spacewalk.xxx.lan precise-spacewalk-client repodata deb spacewalk://spacewalk.xxx.lan precise-security repodata deb spacewalk://spacewalk.xxx.lan precise-updates repodata Whats left todo is add the generation of the Release and Release.gpg file to DebRepositoryWriter.java I have a small bash script for that as cron now. See attachement.
Created attachment 999617 [details] script for generating metafiles for repo signing
Some more info on how to put this together http://www.devops-blog.net/spacewalk/gpg-signing-apt-repository-in-spacewalk
Created attachment 1301897 [details] spacewalk-server patch for signed repos Updated to work with Spacewalk backend 2.6.78
Created attachment 1301909 [details] apt-transport-spacewalk patch for signed repos Updates two files, pre_invoke.py and spacewalk in current Debian/Ubuntu Spacewalk client.
Created attachment 1301915 [details] script for generating metafiles for repo signing Added command to generate InRelease file used by Debian and Ubuntu 16.04+ apt-get client
Uploaded updated patches for Spacewalk 2.6 and Ubuntu 16.04
spacewalk.git(master): b3dd522b157449be85640625f363b25b0861503e
I messed up in the spacewalk-server patch update. I saw an error and tried to fix it but didn't do it right. The default content-type is application-gzip. modules.yaml isn't a gzip file, and neither are the Release files. To set content-types correctly the code block should look like @@ -237,17 +235,13 @@ if file_name in ["repomd.xml", "comps.xml"]: content_type = "text/xml" + elif file_name in ["InRelease", "Release", "Release.gpg"]: + content_type = "text/plain" + elif file_name in ["modules.yaml"]: + content_type = "application/x-yaml" elif file_name not in ["primary.xml.gz", "other.xml.gz", "filelists.xml.gz", "updateinfo.xml.gz", "Packages.gz"]: log_debug(2, "Unknown repomd file requested: %s" % file_name) raise rhnFault(6)
Although maybe "Release.gpg" should have "application/pgp-signature" as content-type
Um, make that application/gpg-signature
Move Spacewalk 2.9 bugs ON_QA.
Spacewalk 2.9 has been released. https://github.com/spacewalkproject/spacewalk/wiki/ReleaseNotes29