Bug 1227617 - RFE: Automatic deployment of Package/Channel Signing Keys
Summary: RFE: Automatic deployment of Package/Channel Signing Keys
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Spacewalk
Classification: Community
Component: Server
Version: 2.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Tomas Lestach
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On:
Blocks: spacewalk-rfe
TreeView+ depends on / blocked
 
Reported: 2015-06-03 07:02 UTC by Jonathan Hoser
Modified: 2020-02-28 13:09 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2020-02-28 13:09:15 UTC
Embargoed:

Attachments (Terms of Use)

Description Jonathan Hoser 2015-06-03 07:02:53 UTC 
Description of problem:

Every time we add a new Channel, we may (or may not) add 'Security: GPG' information on the channels signing key;

However these keys/values are not used afaik (I'd be pleased to be proven wrong).

When deploying/adding a new software channel to a system,
we still need to more or less manually deploy the signing key via 

rpm --import ./somekey

because otherwise yum/... will complain about the unknown key.

Now to the RFC:
IF we already have all the information (the 'Security: GPG' section),
why can't we automatically import a thus given key on a system where the 
software channel is added?
Comment 1 Michael Mráka 2020-02-28 13:09:15 UTC 
GPG key value is actually used by yum/dnf on client to import the key.

However yum/dnf spacewalk plugin only allows to import keys from local /etc/pki/rpm-gpg/.
This is for security reasons - you'd download both packages and a key from the (same) remote site then verification would be useless as attacker could forge both the packages and the key.
Note You need to log in before you can comment on or make changes to this bug.