储存库元数据
需有一个自定义 GPG 密钥才能为储存库元数据签名。
|
To access a shell inside the Server container run |
As the root user, use the
gpgcommand to generate a new key:mgrctl exec -it -- gpg --full-generate-keyAt the prompts, select
RSAas the key type, with a size of 2048 bits, and select an appropriate expiry date for your key. Check the details for your new key, and typeyto confirm.根据提示输入要与该密钥关联的名称和电子邮件地址。 You can also add a comment to help you identify the key, if desired. When you are happy with the user identity, type
Oto confirm.根据提示输入通行口令以保护您的密钥。
该密钥应自动添加到您的密钥环。 可以通过列出密钥环中的密钥进行检查:
mgrctl exec -- gpg --list-keysAdd the password for your keyring to the
/etc/rhn/signing.confconfiguration file, by opening the file in your text editor and adding this line:GPGPASS="password"
有关如何续订 GPG 密钥,请参见 同步查错。
You can manage metadata signing on the command line using the mgr-sign-metadata-ctl command.
您需要知道所要使用的密钥的短标识符。 可以简短格式列出可用的公共密钥:
mgrctl exec -- gpg --keyid-format short --list-keys ... pub rsa4096/3E7BFE0A 2019-04-02 [SC] [expires: 2029-04-01] A43F9EC645ED838ED3014B035CFA51BF3E7BFE0A uid [ultimate] SUSE Manager sub rsa4096/118DE7FF 2019-04-02 [E] [expires: 2029-04-01]Enable metadata signing with the
mgr-sign-metadata-ctlcommand:mgrctl exec -- mgr-sign-metadata-ctl enable 3E7BFE0A OK. Found key 3E7BFE0A in keyring. DONE. Set key 3E7BFE0A in /etc/rhn/signing.conf. DONE. Enabled metadata signing in /etc/rhn/rhn.conf. DONE. Exported key 3E7BFE0A to /srv/susemanager/salt/gpg/mgr-keyring.gpg. DONE. Exported key 3E7BFE0A to /var/spacewalk/gpg/<KEY_NAME>.key. NOTE. For the changes to become effective run: mgr-sign-metadata-ctl regen-metadata可以使用以下命令检查您的配置是否正确:
mgrctl exec -- mgr-sign-metadata-ctl check-configRestart the container for the configuration changes to be detected.
mgradm restartSchedule metadata regeneration to replace all metadata with new signed versions.
mgrctl exec -- mgr-sign-metadata-ctl regen-metadata
You can also use the mgr-sign-metadata-ctl command to perform other tasks. Use mgr-sign-metadata-ctl --help to see the complete list.
储存库元数据签名是全局选项。启用后,将对服务器上的所有软件通道启用该选项。这意味着,连接到服务器的所有客户端需要信任新的 GPG 密钥才能安装或更新软件包。
将 GPG 密钥部署到客户端的过程适用于 Salt 状态。
使用 SUSE Multi-Linux Manager Web UI 应用 Highstate。
有关 GPG 密钥查错的详细信息,请参见 同步查错。