Re: [Spacewalk-list] GPG keys for CentOS channels in Spacewalk

2020-03-04 Thread Stefan Bluhm 
Hi Chen,

to clarify a bit more:

> does this mean that for each package downloaded from Spacewalk onto the 
> Client, it is being signed by CentOS

The signing is not happening when you download the file from Spacewalk. The 
signing has happened before it was uploaded to the source repository (i.e. 
Signing happens --> Uploaded to public repository --> Spacewalk syncs the 
public repository down --> package is pushed to client --> client verifies the 
signature.

Best wishes,

Stefan

- Ursprüngliche Mail -
Von: "Michael Mraka" 
An: "spacewalk-list" 
Gesendet: Mittwoch, 4. März 2020 10:39:28
Betreff: Re: [Spacewalk-list] GPG keys for CentOS channels in Spacewalk

Wenkai Chen:
> HI Stefan,
> 
> If the GPG check is done on the client side for the Spacewalk channel, does 
> this mean that for each package downloaded from Spacewalk onto the Client, it 
> is being signed by CentOS and that the client will use the GPG public key on 
> its local file location to verify its integrity?

Yes, unless you've explicitly disabled gpg checking in yum/dnf.


--
Michael Mráka
System Management Engineering, Red Hat

___
Spacewalk-list mailing list
Spacewalk-list@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list


___
Spacewalk-list mailing list
Spacewalk-list@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list

Re: [Spacewalk-list] GPG keys for CentOS channels in Spacewalk

2020-03-04 Thread Wenkai Chen 
HI Stefan,

If the GPG check is done on the client side for the Spacewalk channel, does 
this mean that for each package downloaded from Spacewalk onto the Client, it 
is being signed by CentOS and that the client will use the GPG public key on 
its local file location to verify its integrity?


It doesn't do it. And I don't think it needs to (or you don't want to when 
mixing packages from different sources). You will latest notice the compromise 
when installing the package as it would then fail.


  *   What if GPG check is not enforced? What if the repo URL gets compromised?

[A close up of a sign  Description generated with very high confidence]

Chen Wenkai
Infrastructure Security Engineer

   [A picture containing building  Description generated with high 
confidence] <https://www.linkedin.com/company/ensign-infosecurity/>  [A 
picture containing tableware  Description generated with high confidence] 
<https://youtu.be/9J7FkhXpb-4>  [A close up of a sign  Description 
generated with high confidence] <https://www.facebook.com/EnsignGlobal>

  E:  wenkai_c...@ensigninfosecurity.com
  A:  30A Kallang Place, Level 9 Right Wing, Singapore 339213


From: spacewalk-list-boun...@redhat.com  On 
Behalf Of Stefan Bluhm
Sent: Wednesday, 4 March 2020 4:59 PM
To: spacewalk-list 
Subject: Re: [Spacewalk-list] GPG keys for CentOS channels in Spacewalk

EXTERNAL: Caution this email originated from outside of the organization. Do 
not click links or open attachments unless you recognize the sender and know 
the content is safe.
Hello Chen,

> So this means that in order to do GPG check for the clients, I would need to 
> place the same GPG key on all registered clients on this channel at the same 
> location? (file:///etc/pki/rpm-gpg/)

correct. Practically, this would only be necessary if the keys are not already 
imported into the rpm database (I import the keys on provisioning and never 
fill out the GPG key field).

> How does Spacewalk verify its integrity when it syncs its repositories for 
> each channel? How does it ensure that the repo it syncs with have not been 
> compromised?

It doesn't do it. And I don't think it needs to (or you don't want to when 
mixing packages from different sources). You will latest notice the compromise 
when installing the package as it would then fail.

Best wishes,

Stefan


Von: "Wenkai Chen" 
mailto:wenkai_c...@ensigninfosecurity.com>>
An: "spacewalk-list" 
mailto:spacewalk-list@redhat.com>>
Gesendet: Mittwoch, 4. März 2020 09:50:03
Betreff: Re: [Spacewalk-list] GPG keys for CentOS channels in Spacewalk

HI Stefan,

Thanks.

So this means that in order to do GPG check for the clients, I would need to 
place the same GPG key on all registered clients on this channel at the same 
location? (file:///etc/pki/rpm-gpg/)

How does Spacewalk verify its integrity when it syncs its repositories for each 
channel? How does it ensure that the repo it syncs with have not been 
compromised?



[A close up of a signDescription generated with very high confidence]

Chen Wenkai
Infrastructure Security Engineer

   [A picture containing buildingDescription generated with high 
confidence] 
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fensign-infosecurity%2F=02%7C01%7Cwenkai_chen%40ensigninfosecurity.com%7C7c8e9f9d69304a044f8408d7c01a69cb%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637189092019889619=aFsXTRJ%2Bpfw8DOyMBY7QJRcMLZb7WUjkRQ7yPpJPdTw%3D=0>
  [A picture containing tablewareDescription generated with high 
confidence] 
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fyoutu.be%2F9J7FkhXpb-4=02%7C01%7Cwenkai_chen%40ensigninfosecurity.com%7C7c8e9f9d69304a044f8408d7c01a69cb%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637189092019899615=mP%2Bz7DL6GSx7A57PkT23GrQE0bXw8nsaZTIAkVlWlZM%3D=0>
  [A close up of a signDescription generated with high confidence] 
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2FEnsignGlobal=02%7C01%7Cwenkai_chen%40ensigninfosecurity.com%7C7c8e9f9d69304a044f8408d7c01a69cb%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637189092019899615=%2Fp7YsXB3anC7T%2BWm25A5r63JzMW0v2kuBrkxdbUeBIQ%3D=0>

  E:  
wenkai_c...@ensigninfosecurity.com<mailto:wenkai_c...@ensigninfosecurity.com>
  A:  30A Kallang Place, Level 9 Right Wing, Singapore 339213


From: 
spacewalk-list-boun...@redhat.com<mailto:spacewalk-list-boun...@redhat.com> 
mailto:spacewalk-list-boun...@redhat.com>> 
On Behalf Of Stefan Bluhm
Sent: Wednesday, 4 March 2020 2:43 PM
To: spacewalk-list mailto:spacewalk-list@redhat.com>>
Subject: Re: [Spacewalk-list] GPG keys for CentOS channels in Spacewalk

EXTERNAL: Caution this email originated from outside of the organization. Do 
not click links or open attachments unless you recogniz

Re: [Spacewalk-list] GPG keys for CentOS channels in Spacewalk

2020-03-04 Thread Michael Mraka 
Wenkai Chen:
> HI Stefan,
> 
> If the GPG check is done on the client side for the Spacewalk channel, does 
> this mean that for each package downloaded from Spacewalk onto the Client, it 
> is being signed by CentOS and that the client will use the GPG public key on 
> its local file location to verify its integrity?

Yes, unless you've explicitly disabled gpg checking in yum/dnf.


--
Michael Mráka
System Management Engineering, Red Hat

___
Spacewalk-list mailing list
Spacewalk-list@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list

Re: [Spacewalk-list] GPG keys for CentOS channels in Spacewalk

2020-03-04 Thread Wenkai Chen 
HI Stefan,

Thanks.

So this means that in order to do GPG check for the clients, I would need to 
place the same GPG key on all registered clients on this channel at the same 
location? (file:///etc/pki/rpm-gpg/)

How does Spacewalk verify its integrity when it syncs its repositories for each 
channel? How does it ensure that the repo it syncs with have not been 
compromised?



[A close up of a sign  Description generated with very high confidence]

Chen Wenkai
Infrastructure Security Engineer

   [A picture containing building  Description generated with high 
confidence] <https://www.linkedin.com/company/ensign-infosecurity/>  [A 
picture containing tableware  Description generated with high confidence] 
<https://youtu.be/9J7FkhXpb-4>  [A close up of a sign  Description 
generated with high confidence] <https://www.facebook.com/EnsignGlobal>

  E:  wenkai_c...@ensigninfosecurity.com
  A:  30A Kallang Place, Level 9 Right Wing, Singapore 339213


From: spacewalk-list-boun...@redhat.com  On 
Behalf Of Stefan Bluhm
Sent: Wednesday, 4 March 2020 2:43 PM
To: spacewalk-list 
Subject: Re: [Spacewalk-list] GPG keys for CentOS channels in Spacewalk

EXTERNAL: Caution this email originated from outside of the organization. Do 
not click links or open attachments unless you recognize the sender and know 
the content is safe.
Hello Chen,

the field GPG key on the channel setup is information for the package installer 
on the CLIENT.

It tells the package installer on the client where to find the GPG key for 
these packages. You have to enter it from the client point of view (in the same 
format the client would use it). So no URL. It must be a client local file 
location.

Best wishes,

Stefan


Von: "Wenkai Chen" 
mailto:wenkai_c...@ensigninfosecurity.com>>
An: "spacewalk-list" 
mailto:spacewalk-list@redhat.com>>
Gesendet: Mittwoch, 4. März 2020 04:19:56
Betreff: [Spacewalk-list]  GPG keys for CentOS channels in Spacewalk

HI Spacewalk users,

Sorry just would like to confirm.

When we enter GPG key into a channel on Spacewalk, does it mean that whenever 
we do a repo-sync, it does a gpg-check on all the packages downloaded and 
synced?

If there is no GPG key entered for a channel in Spacewalk, will there be a 
gpg-check?
If clients are registered to this channel on Spacewalk, will there be a 
gpg-check?

Thank you.

[A close up of a signDescription generated with very high confidence]

Chen Wenkai
Infrastructure Security Engineer

   [A picture containing buildingDescription generated with high 
confidence] 
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fensign-infosecurity%2F=02%7C01%7Cwenkai_chen%40ensigninfosecurity.com%7Cbec92e4d7f924ce0609a08d7c0077ac5%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637189010679631245=gwUYQPIcYMJ0jgab4J585p5TEBny9%2BwdY2eJeD4N3iY%3D=0>
  [A picture containing tablewareDescription generated with high 
confidence] 
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fyoutu.be%2F9J7FkhXpb-4=02%7C01%7Cwenkai_chen%40ensigninfosecurity.com%7Cbec92e4d7f924ce0609a08d7c0077ac5%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637189010679641236=Z%2BRMDHv5ifakyKT2oJoatuw4btwFNg4GEvAJ%2BzBmA%2B8%3D=0>
  [A close up of a signDescription generated with high confidence] 
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2FEnsignGlobal=02%7C01%7Cwenkai_chen%40ensigninfosecurity.com%7Cbec92e4d7f924ce0609a08d7c0077ac5%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637189010679641236=ldesps5s%2F2ASMZBP5Esel2ZUuziRX%2FQm4iCYoST2tjk%3D=0>

  E:  
wenkai_c...@ensigninfosecurity.com<mailto:wenkai_c...@ensigninfosecurity.com>
  A:  30A Kallang Place, Level 9 Right Wing, Singapore 339213





CONFIDENTIALITY NOTICE: “This email is confidential and may also be privileged. 
If this email has been sent to you in error, please delete it immediately and 
notify us. Please do not copy, distribute or disseminate part or whole of this 
email if you are not the intended recipient or if you have not been authorized 
to do so. We reserve the right, to the extent and under circumstances permitted 
by applicable laws, to monitor, retain, intercept and block email messages to 
and from our systems. Thank you.”


___
Spacewalk-list mailing list
Spacewalk-list@redhat.com<mailto:Spacewalk-list@redhat.com>
https://www.redhat.com/mailman/listinfo/spacewalk-list
___
Spacewalk-list mailing list
Spacewalk-list@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list

Re: [Spacewalk-list] GPG keys for CentOS channels in Spacewalk

2020-03-04 Thread Stefan Bluhm 
Hello Chen, 





> So this means that in order to do GPG check for the clients, I would need to 
> place the same GPG key on all registered clients on this channel at the same 
> location? (file:///etc/pki/rpm-gpg/) 

correct. Practically, this would only be necessary if the keys are not already 
imported into the rpm database (I import the keys on provisioning and never 
fill out the GPG key field). 





> How does Spacewalk verify its integrity when it syncs its repositories for 
> each channel? How does it ensure that the repo it syncs with have not been 
> compromised? 

It doesn't do it. And I don't think it needs to (or you don't want to when 
mixing packages from different sources). You will latest notice the compromise 
when installing the package as it would then fail. 

Best wishes, 

Stefan 


Von: "Wenkai Chen"  
An: "spacewalk-list"  
Gesendet: Mittwoch, 4. März 2020 09:50:03 
Betreff: Re: [Spacewalk-list] GPG keys for CentOS channels in Spacewalk 



HI Stefan, 



Thanks. 



So this means that in order to do GPG check for the clients, I would need to 
place the same GPG key on all registered clients on this channel at the same 
location? (file:///etc/pki/rpm-gpg/) 



How does Spacewalk verify its integrity when it syncs its repositories for each 
channel? How does it ensure that the repo it syncs with have not been 
compromised? 












Chen Wenkai 

Infrastructure Security Engineer 

[ https://www.linkedin.com/company/ensign-infosecurity/ ] [ 
https://youtu.be/9J7FkhXpb-4 ] [ https://www.facebook.com/EnsignGlobal ]


E: wenkai_c...@ensigninfosecurity.com 

A: 30A Kallang Place, Level 9 Right Wing, Singapore 339213 








From: spacewalk-list-boun...@redhat.com  On 
Behalf Of Stefan Bluhm 
Sent: Wednesday, 4 March 2020 2:43 PM 
To: spacewalk-list  
Subject: Re: [Spacewalk-list] GPG keys for CentOS channels in Spacewalk 




EXTERNAL: Caution this email originated from outside of the organization. Do 
not click links or open attachments unless you recognize the sender and know 
the content is safe. 


Hello Chen, 





the field GPG key on the channel setup is information for the package installer 
on the CLIENT. 





It tells the package installer on the client where to find the GPG key for 
these packages. You have to enter it from the client point of view (in the same 
format the client would use it). So no URL. It must be a client local file 
location. 





Best wishes, 





Stefan 






Von: "Wenkai Chen" < [ mailto:wenkai_c...@ensigninfosecurity.com | 
wenkai_c...@ensigninfosecurity.com ] > 
An: "spacewalk-list" < [ mailto:spacewalk-list@redhat.com | 
spacewalk-list@redhat.com ] > 
Gesendet: Mittwoch, 4. März 2020 04:19:56 
Betreff: [Spacewalk-list] GPG keys for CentOS channels in Spacewalk 





HI Spacewalk users, 



Sorry just would like to confirm. 



When we enter GPG key into a channel on Spacewalk, does it mean that whenever 
we do a repo-sync, it does a gpg-check on all the packages downloaded and 
synced? 



If there is no GPG key entered for a channel in Spacewalk, will there be a 
gpg-check? 

If clients are registered to this channel on Spacewalk, will there be a 
gpg-check? 



Thank you. 







Chen Wenkai 

Infrastructure Security Engineer 

[ 
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fensign-infosecurity%2F=02%7C01%7Cwenkai_chen%40ensigninfosecurity.com%7Cbec92e4d7f924ce0609a08d7c0077ac5%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637189010679631245=gwUYQPIcYMJ0jgab4J585p5TEBny9%2BwdY2eJeD4N3iY%3D=0
 ] [ 
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fyoutu.be%2F9J7FkhXpb-4=02%7C01%7Cwenkai_chen%40ensigninfosecurity.com%7Cbec92e4d7f924ce0609a08d7c0077ac5%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637189010679641236=Z%2BRMDHv5ifakyKT2oJoatuw4btwFNg4GEvAJ%2BzBmA%2B8%3D=0
 ] [ 
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2FEnsignGlobal=02%7C01%7Cwenkai_chen%40ensigninfosecurity.com%7Cbec92e4d7f924ce0609a08d7c0077ac5%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637189010679641236=ldesps5s%2F2ASMZBP5Esel2ZUuziRX%2FQm4iCYoST2tjk%3D=0
 ] 



E: [ mailto:wenkai_c...@ensigninfosecurity.com | 
wenkai_c...@ensigninfosecurity.com ] 


A: 30A Kallang Place, Level 9 Right Wing, Singapore 339213 











CONFIDENTIALITY NOTICE: “This email is confidential and may also be privileged. 
If this email has been sent to you in error, please delete it immediately and 
notify us. Please do not copy, distribute or disseminate part or whole of this 
email if you are not the intended recipient or if you have not been authorized 
to do so. We reserve the right, to the extent and under circumstances permitted 
by applicable laws, to monitor, retain, intercept and block email messages to 
and from our systems. Thank you.” 



___ 
Spacewalk-

Re: [Spacewalk-list] GPG keys for CentOS channels in Spacewalk

2020-03-03 Thread Stefan Bluhm 
Hello Chen, 

the field GPG key on the channel setup is information for the package installer 
on the CLIENT. 

It tells the package installer on the client where to find the GPG key for 
these packages. You have to enter it from the client point of view (in the same 
format the client would use it). So no URL. It must be a client local file 
location. 

Best wishes, 

Stefan 


Von: "Wenkai Chen"  
An: "spacewalk-list"  
Gesendet: Mittwoch, 4. März 2020 04:19:56 
Betreff: [Spacewalk-list] GPG keys for CentOS channels in Spacewalk 



HI Spacewalk users, 



Sorry just would like to confirm. 



When we enter GPG key into a channel on Spacewalk, does it mean that whenever 
we do a repo-sync, it does a gpg-check on all the packages downloaded and 
synced? 



If there is no GPG key entered for a channel in Spacewalk, will there be a 
gpg-check? 

If clients are registered to this channel on Spacewalk, will there be a 
gpg-check? 



Thank you. 







Chen Wenkai 

Infrastructure Security Engineer 

[ https://www.linkedin.com/company/ensign-infosecurity/ ] [ 
https://youtu.be/9J7FkhXpb-4 ] [ https://www.facebook.com/EnsignGlobal ] 



E: wenkai_c...@ensigninfosecurity.com 

A: 30A Kallang Place, Level 9 Right Wing, Singapore 339213 









CONFIDENTIALITY NOTICE: “This email is confidential and may also be privileged. 
If this email has been sent to you in error, please delete it immediately and 
notify us. Please do not copy, distribute or disseminate part or whole of this 
email if you are not the intended recipient or if you have not been authorized 
to do so. We reserve the right, to the extent and under circumstances permitted 
by applicable laws, to monitor, retain, intercept and block email messages to 
and from our systems. Thank you.” 

___ 
Spacewalk-list mailing list 
Spacewalk-list@redhat.com 
https://www.redhat.com/mailman/listinfo/spacewalk-list 
___
Spacewalk-list mailing list
Spacewalk-list@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list

[Spacewalk-list] GPG keys for CentOS channels in Spacewalk

2020-03-03 Thread Wenkai Chen 
HI Spacewalk users,

Sorry just would like to confirm.

When we enter GPG key into a channel on Spacewalk, does it mean that whenever 
we do a repo-sync, it does a gpg-check on all the packages downloaded and 
synced?

If there is no GPG key entered for a channel in Spacewalk, will there be a 
gpg-check?
If clients are registered to this channel on Spacewalk, will there be a 
gpg-check?

Thank you.

[A close up of a sign  Description generated with very high confidence]

Chen Wenkai
Infrastructure Security Engineer

   [A picture containing building  Description generated with high 
confidence]   [A 
picture containing tableware  Description generated with high confidence] 
  [A close up of a sign  Description 
generated with high confidence] 

  E:  wenkai_c...@ensigninfosecurity.com
  A:  30A Kallang Place, Level 9 Right Wing, Singapore 339213





CONFIDENTIALITY NOTICE: "This email is confidential and may also be privileged. 
If this email has been sent to you in error, please delete it immediately and 
notify us. Please do not copy, distribute or disseminate part or whole of this 
email if you are not the intended recipient or if you have not been authorized 
to do so. We reserve the right, to the extent and under circumstances permitted 
by applicable laws, to monitor, retain, intercept and block email messages to 
and from our systems. Thank you."

___
Spacewalk-list mailing list
Spacewalk-list@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list