% % Hello, % % % % the attached patch set implements checking of signed metadata before mirroring % % with spacewalk-repo-sync. % % This patch adds a checkbox in "Manage Repositories". If this checkbox is % % checked, spacewalk-repo-sync expects, that the repo metadata are signed and % % try to verify the signature with an installed gpg key. If a matching gpg key % % is not found and the new commandile parameter --non-interactive is given, % % spacewalk-repo-sync abort with an error. % % if --non-interactive is not given, spacewalk-repo-sync try to download the key % % file from the server, display the values and ask the user to accept the key. % % If the user agree, the key is installed and the signature will be verified.
So it check whether rpms loaded into spacewalk, i.e. _application_content_, are signed with the key. In this case IMO the gpg key should never be imported into spacewalk servers _OS_ rpm database. These are two completely separated things; E.g. syncing Fedora 9 into spacewalk application should not allow F9 packages to be (successfully) installed & verified on spacewalk server (the OS). There should be a different gpg database for spacewalk-repo-sync verification. + def import_key_to_rpmdb(self, raw, keyid, gpgdir): + if not os.path.exists(gpgdir): + os.makedirs(gpgdir) + tmpfile = os.path.join(gpgdir, keyid) + fp = open(tmpfile, 'w') + fp.write(raw) + fp.close() + cmd = ['/bin/rpm', '--import', tmpfile] + p = subprocess.Popen(cmd) + sts = os.waitpid(p.pid, 0)[1] + os.remove(tmpfile) + if sts == 0: + return True + return False Regards, -- Michael Mráka Satellite Engineering, Red Hat _______________________________________________ Spacewalk-devel mailing list Spacewalk-devel@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-devel
