Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Document how to add GPG key for checking signed packages #94

Open
lorin opened this issue Jul 2, 2013 · 2 comments
Open

Document how to add GPG key for checking signed packages #94

lorin opened this issue Jul 2, 2013 · 2 comments

Comments

@lorin
Copy link

lorin commented Jul 2, 2013

I have a centos template that looks like this:

<template>
    <name>centos-6.4</name>
    <os>
        <name>CentOS-6</name>
        <version>4</version>
        <arch>x86_64</arch>
        <install type='iso'>
            <iso>file:///data/isos/CentOS-6.4-x86_64-bin-DVD1.iso</iso>
        </install>
    </os>
    <description>CentOS 6.4 x86_64</description>
    <repositories>
        <repository name='epel-6'>
            <url>http://download.fedoraproject.org/pub/epel/6/$basearch</url>
            <signed>yes</signed>
        </repository>
    </repositories>
    <packages>
        <package name="epel-release" />
        <package name="cloud-utils" />
        <package name="cloud-init" />
    </packages>
</template>

Unfortunately, the oz-customize step will fail with the error:

Public key for epel-release-6-8.noarch.rpm is not installed

I could turn the check for package signing off, but I'd prefer to add the appropriate GPG public key into the CentOS image.

However, I have no idea how to do this. It would really help if there was some Oz documentation or example somewhere about how to accomplish this (e.g., by adding an appropriate line to a custom kickstart file).
@clalancette
Copy link
Owner

Hm, this is actually a bit of a problem. Oz has the ability to add arbitrary files and run arbitrary commands, so in theory you could upload the GPG key and use rpm --import to import the key. The problem is that these both happen after the packages are installed, so it won't help in your case. I've long had an open feature request for implementing the ability to run file or commands before or after package installation; this provides the impetus. I'll implement it for the next version of Oz.

In the meantime, you can use a custom kickstart to upload the GPG key during installation. I would suggest starting with the kickstart that Oz uses, which will be at /usr/lib/python2.7/site-packages/oz/auto/rhel-6-jeos.ks (or thereabouts, depending on your distro). You can then customize the kickstart to include the GPG key, and then use:

oz-install -d3 -a /path/to/custom.ks /path/to/rhel6.tdl

To use it. And you are right; I should write up examples about how to use custom files, commands, and kickstarts. I'll do that for the oz-examples man page as well. Let me know if this works out for you.

@lorin
Copy link
Author

lorin commented Jul 7, 2013

I won't have a chance to try this out in the near future, but I am pretty confident that using a custom kickstart will provide a suitable workaround by adding something like:

repo --name=epel --baseurl=http://mirrors.kernel.org/fedora-epel/6/x86_64

For example, from https://github.com/jtopjian/image-recipes/blob/master/centos-6-x86_64.ks

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@clalancette @lorin