Use Your Own GPG Key

Table of Contents

1. Own GPG Key for PXE Boot
2. Own GPG key in a CD-ROM

If the repositories you are using for autoinstallation have unsigned metadata, you usually have to use the insecure=1 kernel parameter as an option of the autoinstallable distribution, and use a spacewalk/sles_no_signature_checks code snippet in the AutoYaST installation file.

A safer alternative is to provide your own GPG key.

This technique applies to SUSE clients only.

Procedure: Include your own GPG key

Create a GPG key.
Use it to sign the package’s metadata.
Add it to the initial RAM disk of your installation media.
- For information on how to create the key and sign the metadata with it, see Signing Repository Metadata.
- For information on how to add the key to installation media used for network boot, see Own GPG Key for PXE Boot.
- For information on how to add the key to installation media used for a boot from CD-ROM, see Own GPG Key in a CD-ROM.

When you signed the metadata with your new GPG key, any already onboarded client will not know about the new key. Ideally, you should sign the metadata before you register any client.

For already onboarded clients that use those repositories, the workaround is to disable GPG key checking on them.

1. Own GPG Key for PXE Boot

The initial RAM disk (initrd) used by PXE boot process normally contains SUSE’s GPG key only. You must add our own key to this file, so it can be used to check the packages.

Procedure: Add a GPG key to the initial RAM disk

Create a directory with a path identical to the one that is used during the boot process to find the GPG key:
```
mkdir -p tftproot/usr/lib/rpm/gnupg/keys
```

Copy your GPG key into this directory with the suffix .asc:

cp /srv/www/htdocs/pub/mgr-gpg-pub.key tftproot/usr/lib/rpm/gnupg/keys/mgr-gpg-pub.asc

Inside the top level directory, package the content and append it to the initrd that is part of your installation media files:
```
cd tftproot
find . | cpio -o -H newc | xz --check=crc32 -c >> /path/to/initrd
```

2. Own GPG key in a CD-ROM

You can modify an installation image with the mksusecd utility. This utility is contained in the Development Tools module.

Procedure: Add a GPG key to an Installation ISO image

Create a directory with a path identical to the one that is used during the boot process to find the GPG key:
```
mkdir -p initrdroot/usr/lib/rpm/gnupg/keys
```

Copy your GPG key into this directory with the suffix .asc:

cp /srv/www/htdocs/pub/mgr-gpg-pub.key initrdroot/usr/lib/rpm/gnupg/keys/mgr-gpg-pub.asc

Amend the existing ISO image with mksusecd:

mksusecd --create <new-image>.iso --initrd initrdroot/ <old-image>.iso