Signing Repository Metadata
You require a custom GPG key to be able to sign repository metadata.
To access a shell inside the Server container run |
-
As the root user, use the
gpg
command to generate a new key:mgrctl exec -- gpg --gen-key
-
At the prompts, select
RSA
as the key type, with a size of 2048 bits, and select an appropriate expiry date for your key. Check the details for your new key, and typey
to confirm. -
At the prompts, enter a name and email address to be associated with your key. You can also add a comment to help you identify the key, if desired. When you are happy with the user identity, type
O
to confirm. -
At the prompt, enter a passphrase to protect your key.
-
The key should be automatically added to your keyring. You can check by listing the keys in your keyring:
gpg --list-keys
-
Add the password for your keyring to the
/etc/rhn/signing.conf
configuration file, by opening the file in your text editor and adding this line:GPGPASS="password"
For renewing a GPG key, see Troubleshooting Synchronization.
You can manage metadata signing on the command line using the mgr-sign-metadata-ctl
command.
-
You need to know the short identifier for the key to use. You can list your available public keys in short format:
mgrctl exec -- gpg --keyid-format short --list-keys ... pub rsa2048/3E7BFE0A 2019-04-02 [SC] [expires: 2021-04-01] A43F9EC645ED838ED3014B035CFA51BF3E7BFE0A uid [ultimate] SUSE Manager sub rsa2048/118DE7FF 2019-04-02 [E] [expires: 2021-04-01]
-
Enable metadata signing with the
mgr-sign-metadata-ctl
command:mgrctl exec -- mgr-sign-metadata-ctl enable 3E7BFE0A OK. Found key 3E7BFE0A in keyring. DONE. Set key 3E7BFE0A in /etc/rhn/signing.conf. DONE. Enabled metadata signing in /etc/rhn/rhn.conf. DONE. Exported key 4E2C3DD8 to /srv/susemanager/salt/gpg/mgr-keyring.gpg. DONE. Exported key 4E2C3DD8 to /var/spacewalk/gpg/<KEY_NAME>.key. NOTE. For the changes to become effective run: mgr-sign-metadata-ctl regen-metadata
-
You can check that your configuration is correct with this command:
mgrctl exec -- mgr-sign-metadata-ctl check-config
-
Restart the services and schedule metadata regeneration to pick up the changes:
mgrctl exec -- mgr-sign-metadata-ctl regen-metadata
You can also use the mgr-sign-metadata-ctl
command to perform other tasks.
Use mgr-sign-metadata-ctl --help
to see the complete list.
Repository metadata signing is a global option. When it is enabled, it is enabled on all software channels on the server. This means that all clients connected to the server need to trust the new GPG key to be able to install or update packages.
-
Deploying GPG keys to the clients works with salt states.
-
Apply the highstate with the Uyuni Web UI.
For more information about troubleshooting GPG keys, see Troubleshooting Synchronization.