With ZENworks Configuration Management 11 and higher, you have the ability to create a YUM repository. This repository can be used to patch a server when there is no agent installed on this server. By default these YUM repositories are not digitally signed and extra actions are needed.

With the following steps, the YUM repository can be digitally signed. When there is a Bold piece of text, this has to be entered.

First, create a PGP key on the ZCM server:
# gpg -q --gen-key

gpg (GnuPG) 2.0.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
ELG keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
n = key expires in days
nw = key expires in n weeks
nm = key expires in n months
ny = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: real name to be used
Email address: your mail address
Comment: your comment

You selected this USER-ID:
"real name to be used(your comment) <your mail address>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

You need a Passphrase to protect your secret key.
2 Popups will appear to enter and re-enter the passphrase
can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 5477D63A marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2022-01-20
pub 1024D/5477D63A 2012-02-09
Key fingerprint = BFBE F58B F0E5 3EBF 1C1A 3507 071A 73B5 5477 D63A
uid Novell ZCM Yum-repo (ZCM repo key) <zcm@domain_name.com>
sub 1024g/2251F675 2012-02-09

The GPG key is now created. For further reference, remember the code behind 'pub 1024D'. In this example: 5477D63A. This is the public key need when running the script the digitally sign the repository.

The following script will do the job of signing the repomd.xml:

#!/bin/bash

#Change this to your GPG key passphrase
PASSPHRASE=passphrase used when creating PGP keyl

# Change this to your GPG key name
KEY_NAME=public key (e.g. 5477D63A)

ZEN_YUM_REPO_DIR=/var/opt/novell/zenworks/yum-repo

OLWD=`pwd`
cd $ZEN_YUM_REPO_DIR

/usr/bin/gpg -a --export $KEY_NAME > repomd.xml.key

for i in `/bin/ls -1` ; do
if [ -d $i ] ; then
if [ -d $i/repodata ] ; then
cd $i/repodata
if [ -f repomd.xml ] ; then
/bin/echo "Signing repository $i"
/bin/rm -f repomd.xml.asc
/bin/echo $PASSPHRASE | /usr/bin/gpg --batch --passphrase-fd 0 -a --detach-sign --default-key $KEY_NAME repomd.xml
/bin/cp -f ../../repomd.xml.key .
/bin/chown zenworks:zenworks repomd.xml.asc repomd.xml.key
fi
cd - >> /dev/null
fi
fi

done

/bin/rm -f repomd.xml.key
cd $OLWD >> /dev/null

The only remaining step is to import the key on the server that will receive the patch. To achieve this, copy the /var/opt/novell/zenworks/yum-repo/repository_name/repodata/repomd.xml.key from the ZCM server to the server receiving the patches. On the receiving server, import the key with:
# rpm --import repomd.xml.key

Happy patching...........