Use Your Own GPG Key

If the repositories you are using for autoinstallation have unsigned metadata, you usually have to use the insecure=1 kernel parameter as an option of the autoinstallable distribution, and use a spacewalk/sles_no_signature_checks code snippet in the AutoYaST installation file.

A safer alternative is to provide your own GPG key.

Procedure: Include your own GPG key
  1. Create a GPG key.

  2. Use it to sign the package’s metadata.

  3. Add it to the initial RAM disk of your installation media.

For information on how to create the key and sign the metadata with it, see Signing Repository Metadata.

For information on how to add the key to installation media used for network boot, see Own GPG Key for PXE Boot.

For information on how to add the key to installation media used for a boot from CD-ROM, see Own GPG Key in a CD-ROM.

This technique applies only to SUSE clients.

Once you signed the metadata with your new GPG key, any already onboarded client will not know about the new key. Ideally, you should sign the metadata before you register any client.

Should you have already onboarded clients that use those repositories, the simplest fix is to disable GPG key checking on them.

Own GPG Key for PXE Boot

The initial RAM disk (initrd) used by PXE boot process normally contains SUSE’s GPG key only. We need to add our own key to this file, so it can be used to check the packages.

Procedure: Add a GPG key to the initial RAM disk
  1. Create a directory with a path identical to the one that is used during the boot process to find the GPG key:

    $ mkdir -p tftproot/usr/lib/rpm/gnupg/keys
  2. Copy your GPG key into this directory with the suffix .asc:

    $ cp /srv/www/htdocs/pub/mgr-gpg-pub.key tftproot/usr/lib/rpm/gnupg/keys/mgr-gpg-pub.asc
  3. Inside the top level directory, package the content and append it to the initrd that is part of your installation media files:

    $ cd tftproot; find . | cpio -o -H newc | xz --check=crc32 -c >> /path/to/initrd

Own GPG key in a CD-ROM

You can modify an installation image with the mksusecd utility. This command is contained in the Development Tools module.

Procedure: Add a GPG key to an Installation ISO image
  1. Create a directory with a path identical to the one that is used during the boot process to find the GPG key:

    $ mkdir -p initrdroot/usr/lib/rpm/gnupg/keys
  2. Copy your GPG key into this directory with the suffix .asc:

    $ cp /srv/www/htdocs/pub/mgr-gpg-pub.key initrdroot/usr/lib/rpm/gnupg/keys/mgr-gpg-pub.asc
  3. Amend the existing ISO image with mksusecd:

    $ mksusecd --create <new-image>.iso --initrd initrdroot/ <old-image>.iso