I found it easier/cleaner to place the GPG-KEY files in pub/ and append the ORG_GPG_KEY value as needed (see below for syntax) in the bootstrap script(s). If you ADD an additional repo, or change the key for any reason, after bootstrapping, you will need to import the keys manually. But this works automagically.
ORG_GPG_KEY=RPM-GPG-KEY-centosofficial,RPM-GPG-KEY-centostesting,RPM-GPG-KEY-EPEL-8,RPM-GPG-KEY-OSQUERY From: [email protected] <[email protected]> On Behalf Of Waldirio Manhães Pinheiro Sent: Thursday, July 30, 2020 14:23 To: [email protected] Subject: Re: [Spacewalk-list] GPG keys distribution from Spacewalk Hello Jackson You can proceed as below To obtain all the features from clients, it is necessary to execute some routines on the clients after register in Spacewalk as follows: * GPG keys of custom channel/the 3rd channel. Let’s talk again about the item 2.3, where we talked about child channels. They have a signature GPG file package - well, as we described, we shared it on the server (http://spacewalk.network.biz/pub/GPG/) that would be available to any client on the network. Now we will use a routine to import those keys and so we can install available packages via Spacewalk. [root@node1 ~]# for b in $(curl http://spacewalk.network.biz/pub/GPG/|cut -d”=” -f5|cut -d”\”” -f2|grep -v -E ‘(^$|^.*<|^.*/|^.*;.*)’); do cd /etc/pki/rpm-gpg;wget -nc http://spacewalk.network.biz/pub/GPG/$b;rpm --import /etc/pki/rpm-gpg/$b; done 2>/dev/null Take care here! The previous command can be placed at the end of bootstrap.sh file, which is located in Spacewalk server. Then, every time a machine is registered via bootstrap.sh it will automatically receive the keys of all channels. If the installation was performed via Kickstart, the keys are automatically imported, so the execution of the previous command is not necessary. To check which keys are installed on the registered server, run the next command: [root@node1 ~]# rpm -qa | grep gpg-pubkey gpg-pubkey-863a853d-4f55f54d gpg-pubkey-c105b9de-4e0fd3a3 gpg-pubkey-c431416d-3db4c821 gpg-pubkey-0608b895-4bd22942 [root@node1 ~]# You can find this trick and much more here [1] Hope this helps. ______________ Best Waldirio Skype: waldirio Site: www.waldirio.com.br <http://www.waldirio.com.br> LinkedIn: https://www.linkedin.com/in/waldirio [1]. https://www.amazon.com/Spacewalk-Satellite-Project-solution-management-ebook/dp/B071DDQ4W2 On Fri, Jul 24, 2020 at 12:47 PM Brian Long <[email protected] <mailto:[email protected]> > wrote: My workflow before using Ansible was typically to download the vendor RPM or release RPM that contains the .repo file and GPG key. I then place every key I might ever want on my systems in /var/www/html/pub on my spacewalk server. I then have a kickstart snippet script defined. The script looks something like this: wget -qO /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 http://$http_server/pub/RPM-GPG-KEY-EPEL-6 && \ rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 if [ "$?" != 0 ]; then echo "Failed to import EPEL-7 key" fi wget -qO /etc/pki/rpm-gpg/RPM-GPG-KEY-spacewalk-2015 http://$http_server/pub/RPM-GPG-KEY-spacewalk-2015 && \ rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-spacewalk-2015 if [ "$?" != 0 ]; then echo "Failed to import Spacewalk-2015 key" fi wget -qO /etc/pki/rpm-gpg/RPM-GPG-KEY-splunk http://$http_server/pub/RPM-GPG-KEY-splunk && \ rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-splunk if [ "$?" != 0 ]; then echo "Failed to import Splunk key" fi wget -qO /etc/pki/rpm-gpg/RPM-GPG-KEY-vmware-tools http://$http_server/pub/RPM-GPG-KEY-vmware-tools && \ rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-vmware-tools if [ "$?" != 0 ]; then echo "Failed to import VMware Tools key" fi I reference this snippet as a Pre and Post script in my kickstart profile. This allows me to install some of the vendor RPMs (e.g. splunkforwarder) during the initial kickstart and it also lets me install others only when needed. If you only need to install post-kickstart, you do not need to import the keys during %pre. /Brian/ On Fri, Jul 24, 2020 at 2:17 PM Jackson K. Bonvissuto <[email protected] <mailto:[email protected]> > wrote: Hello all, I am trying to find a solution for populating GPG keys on client systems through Spacewalk, so that every time a system subscribes to a new channel and I do not have to wget the key manually. Are there any systems in spacewalk to auto distribute the channel's key when a client subscribes to it, or an alternate recommended solution. Example of the issue when installing a package from a new channel: yum install osquery-4.4.0-1.x86_64 Is this ok [y/d/N]: y #error Downloading packages: warning: /var/cache/yum/x86_64/7/osquery-x86_64/packages/osquery-4.4.0-1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID c9d8b80b: NOKEY Retrieving key from file:///etc/pki/rpm-gpg/OSQUERY-S3-RPM-REPO-GPGKEY GPG key retrieval failed: [Errno 14] curl#37 - "Couldn't open file /etc/pki/rpm-gpg/OSQUERY-S3-RPM-REPO-GPGKEY" Currently solved by manually placing the key in “/etc/pki/rpm-gpg on the client system. Thanks, Jackson _______________________________________________ Spacewalk-list mailing list [email protected] <mailto:[email protected]> https://www.redhat.com/mailman/listinfo/spacewalk-list _______________________________________________ Spacewalk-list mailing list [email protected] <mailto:[email protected]> https://www.redhat.com/mailman/listinfo/spacewalk-list
_______________________________________________ Spacewalk-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/spacewalk-list
