Adding signatures to package resources
Richard
packages and install them via Puppet. My problem is that when Puppet
tries to install my packages apt-get/aptitude throws an error about
the 'Untrusted package" I'm trying to install.
I could remedy this situation by running "apt-key <myfile>" on my
clients but I think it would be better if the package type was able to
handle this implicitly. Should I open a enhancement ticket for this?
Does anyone else think this is a valid thing for package to do?
In the meantime, does anyone have any good ideas on how to accomplish
this non-idempotent task? I tried to use a File to overwrite the
existing file on the client but its not working too well, and I'm not
sure thats really the best way to proceed.
Thanx!
Richard
Mike Renfro
> In the meantime, does anyone have any good ideas on how to accomplish
> this non-idempotent task? I tried to use a File to overwrite the
> existing file on the client but its not working too well, and I'm not
> sure thats really the best way to proceed.
Something like this should work:
>> class cae-ftp-archive {
>> exec { "install-cae-ftp-key":
>> command => "/usr/bin/wget -O /root/caeftp_key.asc \
>> http://PATH/TO/KEY; \
>> /usr/bin/apt-key add /root/caeftp_key.asc",
>> unless => "/usr/bin/apt-key list | /bin/grep -q 'Mike Renfro (CAE FTP Archive) <ren...@tntech.edu>'";
>> }
>> }
Obviously, substitute in your key's URL, and the signer's identity.
--
Mike Renfro / R&D Engineer, Center for Manufacturing Research,
931 372-3601 / Tennessee Technological University
Russell Adams
install that in my preseed. It works fine.
Then you just manage that package via Puppet.
------------------------------------------------------------------
Russell Adams RLA...@AdamsInfoServ.com
PGP Key ID: 0x1160DCB3 http://www.adamsinfoserv.com/
Fingerprint: 1723 D8CA 4280 1EC9 557F 66E8 1154 E018 1160 DCB3
Richard
> Something like this should work:
>
> >> class cae-ftp-archive {
> >> exec { "install-cae-ftp-key":
> >> command => "/usr/bin/wget -O /root/caeftp_key.asc \
> >> http://PATH/TO/KEY;\
> >> /usr/bin/apt-key add /root/caeftp_key.asc",
> >> unless => "/usr/bin/apt-key list | /bin/grep -q 'Mike Renfro (CAE FTP Archive) <ren...@tntech.edu>'";
> >> }
> >> }
>
> Obviously, substitute in your key's URL, and the signer's identity.
two files "addme.key" & "deleteme.key" in the /etc/apt directory.
Then subscribe to those files and any time they change run the exec?
That should do it, right? Thanks for the tip on the unless property.
I don't think I've came across that one yet and I think I could put it
to good use. ;)
Later...
Richard
Richard
talking about. Could you give more details? Also, how do you deal
with the possibility of changing keys?
Thanx!
Richard
On Mar 14, 5:31 pm, Russell Adams <RLAd...@AdamsInfoServ.Com> wrote:
> I packaged the key to my repo into the default keyring package, and
> install that in my preseed. It works fine.
>
> Then you just manage that package via Puppet.
>
>
>
> On Fri, Mar 14, 2008 at 01:55:13PM -0700, Richard wrote:
>
> > I am running my own Debian repository and would like to sign my
> > packages and install them via Puppet. My problem is that when Puppet
> > tries to install my packages apt-get/aptitude throws an error about
> > the 'Untrusted package" I'm trying to install.
>
> > I could remedy this situation by running "apt-key <myfile>" on my
> > clients but I think it would be better if the package type was able to
> > handle this implicitly. Should I open a enhancement ticket for this?
> > Does anyone else think this is a valid thing for package to do?
>
> > In the meantime, does anyone have any good ideas on how to accomplish
> > this non-idempotent task? I tried to use a File to overwrite the
> > existing file on the client but its not working too well, and I'm not
> > sure thats really the best way to proceed.
>
> > Thanx!
> > Richard
>
> ------------------------------------------------------------------
Russell Adams
matching udeb to allow my preseeded install CD to use my archives.
See
On Sat, Mar 15, 2008 at 02:20:34AM -0700, Richard wrote:
>
> That sounds good but I'm not sure what default keyring package your
> talking about. Could you give more details? Also, how do you deal
> with the possibility of changing keys?
>
> Thanx!
> Richard
>
> On Mar 14, 5:31?pm, Russell Adams <RLAd...@AdamsInfoServ.Com> wrote:
> > I packaged the key to my repo into the default keyring package, and
> > install that in my preseed. It works fine.
> >
> > Then you just manage that package via Puppet.
> >
> >
> >
> > On Fri, Mar 14, 2008 at 01:55:13PM -0700, Richard wrote:
> >
> > > I am running my own Debian repository and would like to sign my
> > > packages and install them via Puppet. ?My problem is that when Puppet
> > > tries to install my packages apt-get/aptitude throws an error about
> > > the 'Untrusted package" I'm trying to install.
> >
> > > I could remedy this situation by running "apt-key <myfile>" on my
> > > clients but I think it would be better if the package type was able to
> > > handle this implicitly. ?Should I open a enhancement ticket for this?
> > > Does anyone else think this is a valid thing for package to do?
> >
> > > In the meantime, does anyone have any good ideas on how to accomplish
> > > this non-idempotent task? ?I tried to use a File to overwrite the
> > > existing file on the client but its not working too well, and I'm not
> > > sure thats really the best way to proceed.
> >
> > > Thanx!
> > > ? Richard
> >
> > ------------------------------------------------------------------
> > Russell Adams ? ? ? ? ? ? ? ? ? ? ? ? ? ?RLAd...@AdamsInfoServ.com
> >
> > PGP Key ID: ? ? 0x1160DCB3 ? ? ? ? ?http://www.adamsinfoserv.com/
> >
> > Fingerprint: ? ?1723 D8CA 4280 1EC9 557F ?66E8 1154 E018 1160 DCB3
> >
------------------------------------------------------------------
Russell Adams RLA...@AdamsInfoServ.com