Red Hat Bugzilla – Bug 837776
RFE: Mechanism to deploy GPG keys for new channels to existing RHEL system rpm databases
Last modified: 2012-07-11 20:00:44 EDT
Description of Problem:
When adding new channels to Satellite, GPG keys for packages associated with these channels are added to the Kickstart GPG/SSL Section. From here these keys are added to the applicable kickstart profiles.
This is OK for NEW systems that are deployed, however when adding new channels to EXISTING systems (by registering/re-registering EXISTING systems with the relevant activation key) there is no mechanism to also deploy the relevant GPG key to the system rpm database. This means that although the channel might be added to the existing system, the system can't install packages from it (as they are signed with the GPG channel key).
Currently as a workaround we have to manually deploy the associated GPG key to existing systems that we are adding a new channel to. This is not manageable and there should be a better mechanism to do this.
(and yes I could script the GPG deployment by manually editing a 'bootstrap.sh' file, but this is hackish, not scalable and Satellite should already have a mechanism to do this implicitly in the rhn_register process)
Sadly, I cannot think of a good, sane, and secure process to do this. That would not open up potential security holes - where a user hacks Satellite and now has ability to install ANY package onto any managed system. Vs adding a layer of trust, by signing the custom RPM's with a GPG key that you keep secure.
I'm sorry it is not 'easy' to do today, but the solution really is, to manually establish the GPG keys on established systems, for trusted gpg keys. (or automated/scripted deployments).
As is today, I am going to decline this request.
Am a little confused with the reasoning here, as this functionality already exists for kickstart deployed systems (Satellite already has a mechanism to store and deploy GPG keys to new systems). How is it any more of a security flaw for that mechanism to be extended to already registered systems (more specifically systems I want to subscribe to an additional channel)?