Can Foreman or Katello automatically sign RPM Packages on upload?

Greetings to all,

Problem:

I have looked through the documentation, along with the output of hammer --help, but I am not seeing of a way for us to sign RPM packages automatically somehow on upload to Katello.

It would be cool to use the Hammer CLI, the Katello UI or the Katello API to sign packages when we upload them to a custom, in house repo we use.

Expected outcome:

This would be a nice to have feature if it doesn’t already exist. We understand that the Content Credentials for the GPG keys are used to verify the integrity of the package when a client goes to install them via YUM. Hoping there is a way to use GPG Keys in Content Credentials to sign packages as they are uploaded to Katello.

Foreman and Proxy versions:

Foreman 3.1
Katello 4.3

Distribution and version:

CentOS 7.9

Other relevant data:

Right now we use Koji to create custom RPM’s, sign them and then we have a sync job to pull from Koji into Katello. We are looking to replace Koji and integrate the creation of RPM’s with a Bamboo job and are hoping to leverage Katello in that Pipeline.

Thank you,

Eledor

Hey @eledor

If you upload content credentials, you upload the public GPG key to Foreman. (example: Debian or generic RPM). To sign packages, you’d need the private GPG key. I guess that would lead to a whole set of security concerns.

If you already have an internal pipeline to start the “sync packages to Foreman” job, maybe you can run a “sign packages” job before that?

Hi @maximilian,

Thanks for pinging me back.

Yes, I agree with you on asymmetric encryption.

Was hoping there was some way we could have a private key in Content Credentials and then sign these packages as they came into Katello on Katello itself.

Your suggestion of an alternative method is a good one and we may have to go that route if there isn’t a way to do this in Katello.

Cheers,

Eledor