On Wed, Jan 7, 2009 at 10:32 AM, Steffen Winterfeldt
On Wed, 7 Jan 2009, Peter Czanik wrote:
Steffen Winterfeldt írta:
Basically, yes. You have to add your key to '/installkey.gpg' in the initrd. It was a requirement from our security guys that all files need to be checked (bug 435685). As a consequence either your key is known in the initrd or you explicitly turn off checking with 'insecure=1'.
You are not authorized to access bug #435685.
That's not true. Just tried bugzilla without login and I can read the bug.
I saw it here. It's not very interesting or informative :D
I'm not too keen on putting extra things in the initrd - since we use
a rpm-md package format here internally I wondered if I could just put
driverupdate in that repository somehow and then fix control.xml to
look at our custom repository (just new kernels + tools).
I have a few qualms;
1) in the instructions (Secure Installation Sources) the example
script uses a $keyid variable. Where on earth do I get that keyid
variable? I'm not that familiar with the ins and outs of gpg.
2) createrepo -v does not even look at my driverupdate file in the
root and complains that it is not a package. None of the
inst-source-utils manage to do anything with it either. What is the
CORRECT way to build a rpm-md repository with
a) packages built by us, for our own internal use and for user use
b) a driverupdate that will hopefully be checked by the automated
installation process (i.e. named driverupdate and in a special place
on the repo)?
How does for instance the SuSE updates repository get built, at least
what can you tell us about it that wouldn't compromise some kind of
security policy? :D
I have a bunch of questions about kernels too but it should be for the
openSUSE-kernel mailing list, which I seem to have been magically
unsubscribed from or at least never received a mail after the first
day..? :(
--
Matt Sealey