Document how to add GPG key for checking signed packages

[lorin]

I have a centos template that looks like this:

<template>
    <name>centos-6.4</name>
    <os>
        <name>CentOS-6</name>
        <version>4</version>
        <arch>x86_64</arch>
        <install type='iso'>
            <iso>file:///data/isos/CentOS-6.4-x86_64-bin-DVD1.iso</iso>
        </install>
    </os>
    <description>CentOS 6.4 x86_64</description>
    <repositories>
        <repository name='epel-6'>
            <url>http://download.fedoraproject.org/pub/epel/6/$basearch</url>
            <signed>yes</signed>
        </repository>
    </repositories>
    <packages>
        <package name="epel-release" />
        <package name="cloud-utils" />
        <package name="cloud-init" />
    </packages>
</template>

Unfortunately, the oz-customize step will fail with the error:

Public key for epel-release-6-8.noarch.rpm is not installed

I could turn the check for package signing off, but I'd prefer to add the appropriate GPG public key into the CentOS image.

However, I have no idea how to do this. It would really help if there was some Oz documentation or example somewhere about how to accomplish this (e.g., by adding an appropriate line to a custom kickstart file).

[clalancette]

Hm, this is actually a bit of a problem. Oz has the ability to add arbitrary files and run arbitrary commands, so in theory you could upload the GPG key and use rpm --import to import the key. The problem is that these both happen after the packages are installed, so it won't help in your case. I've long had an open feature request for implementing the ability to run file or commands before or after package installation; this provides the impetus. I'll implement it for the next version of Oz.

In the meantime, you can use a custom kickstart to upload the GPG key during installation. I would suggest starting with the kickstart that Oz uses, which will be at /usr/lib/python2.7/site-packages/oz/auto/rhel-6-jeos.ks (or thereabouts, depending on your distro). You can then customize the kickstart to include the GPG key, and then use:

oz-install -d3 -a /path/to/custom.ks /path/to/rhel6.tdl

To use it. And you are right; I should write up examples about how to use custom files, commands, and kickstarts. I'll do that for the oz-examples man page as well. Let me know if this works out for you.

[lorin]

I won't have a chance to try this out in the near future, but I am pretty confident that using a custom kickstart will provide a suitable workaround by adding something like:

repo --name=epel --baseurl=http://mirrors.kernel.org/fedora-epel/6/x86_64

For example, from https://github.com/jtopjian/image-recipes/blob/master/centos-6-x86_64.ks