Thursday, 10 March 2011

Upload custom RPMS to an RHN Satellite server

Packages must be uploaded to your private channel as root and must be digitally signed by
the uploader.

run
[root@dhcp ~]# mkdir ~/.gnupg
then
[root@dhcp ~]# gpg --gen-key

Select a type 1 DSA and ElGamal key (the default)
Select does not expire
For Real Name enter Satellite Root
For email root@satellite-fqdn
Comment to leave it blank.Enter a passphrase for your private key

gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 56E7F807 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
key ID
pub   1024D/56E7F807 2011-03-14
Fingerprint   
Key fingerprint = 3C68 34CB FFC5 B1F0 227E  B99D 0C7E 0353 56E7 F807
uid                  Satellite Root <root@satellite-fqdn >
sub   2048g/D214DE21 2011-03-14
Write down your key ID and fingerprint for later use.

Export the GPG public key
[root@dhcp ~]# gpg --export --armor key-ID > /tmp/MY-GPG-KEY

Copy that key to the Satellite Server's Apache DocumentRoot's pub directory
[root@dhcp ~]# cp /tmp/MY-GPG-KEY /var/www/html/pub/MY-GPG-KEY

Log into your satellite server and create a new user named channeladmin. Modify the user account to be a channel administrator. Log out of the web site and log in again as channeladmin. Go to the Channels tab and create new channel. Make your new channel a child channel of the OS version of your client. For your GPG key URL use http://satellite-fqdn/pub/MY-GPG-KEY. Enter the GPG key ID and GPG key Fingerprint

To get fingerprint info
[root@wint-server-73 ~]# gpg --fingerprint
/root/.gnupg/pubring.gpg
------------------------
pub   1024D/56E7F807 2011-03-14
      Key fingerprint = 3C68 34CB FFC5 B1F0 227E  B99D 0C7E 0353 56E7 F807
uid                  Satellite Root <root@wint-server-73.wcm-london.com>
sub   2048g/D214DE21 2011-03-14

Add the following to ~/.rpmmacros
%_signature gpg
%_gpg_name KEYID

 To sign the package
[root@dhcp ~]# rpm --resign package-name-1.0-1.noarch.rpm

To make sure the package is signed, use the following command
[root@dhcp ~]# rpm --checksig -v package-name-1.0-1.noarch.rpm

Upload your RPM
[root@dhcp ~]# rhnpush -c 'Channel Name' --server localhost

Subscribe your client to the private channel:

Using the URL listed by the RHN child channel , download the public key to your client system and then import it
[root@dhcp ~]# rpm --import MY-GPG-KEY

No comments:

Post a Comment