NCPA update

[dwhitfield]

Did you have any other questions, or are we ready to lock this up?

[bennyboy]

H Bennyboy,

I think there are a couple similar but different things going on here. First, the public key available at repo.nagios.com/RPM-GPG-KEY-NAGIOS is used to verify the sha1 signature of the package. This just means that key(which should be trusted because it's on our site) has signed the package.

Second, the sha256 checksum is used to verify the integrity of a file. Repomd.xml points to "repodata/62bc8af6bdf8d9160e8418d3f99dbb58cd419188a3905c5240f8e3e35bbf1f34-other.xml.gz" and if you download this file, it contains a list of checksums for the ncpa packages and shows a sha256 checksum of eebe4ce829910748b50379d2d4e1c28d4ff436a2184bbd1ffc96da9f8e81f8fb for ncpa 2.0.3. This should match what you downloaded and you can verify by running "sha256sum ncpa-2.0.3.el7.x86_64.rpm".

Last, I believe it starts then stops the service as a check to make sure everything installed correctly but doesn't want to assume that you necessarily want it running right away. It should be relatively easy to script something to start it after the upgrade though or maybe just run "yum update ncpa;service ncpa restart".

Can you confirm you already sign your package with a gpg key because if I sync your repo in Redhat Satellite I don't see any signature. I see content provider is Unknown instead of EPEL Repo show Content provider EPEL.
I try to install your package and I have a message that your rpm package is not sign.

Thank you!

[cdienger]

Hi bennyboy,

The packages are signed and the rpm commands you were running before show the signature IDs. You may just need to import the key to get rid of the warning messages:

Code: Select all

rpm --import http://repo.nagios.com/RPM-GPG-KEY-NAGIOS