Signing Repository Metadata

You require a custom GPG key to be able to sign repository metadata.

To access a shell inside the Server container run mgrctl term on the container host.

Procedure: Generating a Custom GPG Key
  1. As the root user, use the gpg command to generate a new key:

    mgrctl exec -- gpg --gen-key
  2. At the prompts, select RSA as the key type, with a size of 2048 bits, and select an appropriate expiry date for your key. Check the details for your new key, and type y to confirm.

  3. At the prompts, enter a name and email address to be associated with your key. You can also add a comment to help you identify the key, if desired. When you are happy with the user identity, type O to confirm.

  4. At the prompt, enter a passphrase to protect your key.

  5. The key should be automatically added to your keyring. You can check by listing the keys in your keyring:

    gpg --list-keys
  6. Add the password for your keyring to the /etc/rhn/signing.conf configuration file, by opening the file in your text editor and adding this line:


For renewing a GPG key, see Troubleshooting Synchronization.

You can manage metadata signing on the command line using the mgr-sign-metadata-ctl command.

Procedure: Enabling Metadata Signing
  1. You need to know the short identifier for the key to use. You can list your available public keys in short format:

    mgrctl exec -- gpg --keyid-format short --list-keys
    pub   rsa2048/3E7BFE0A 2019-04-02 [SC] [expires: 2021-04-01]
    uid         [ultimate] SUSE Manager
    sub   rsa2048/118DE7FF 2019-04-02 [E] [expires: 2021-04-01]
  2. Enable metadata signing with the mgr-sign-metadata-ctl command:

    mgrctl exec -- mgr-sign-metadata-ctl enable 3E7BFE0A
    OK. Found key 3E7BFE0A in keyring.
    DONE. Set key 3E7BFE0A in /etc/rhn/signing.conf.
    DONE. Enabled metadata signing in /etc/rhn/rhn.conf.
    DONE. Exported key 4E2C3DD8 to /srv/susemanager/salt/gpg/mgr-keyring.gpg.
    DONE. Exported key 4E2C3DD8 to /var/spacewalk/gpg/<KEY_NAME>.key.
    NOTE. For the changes to become effective run:
       mgr-sign-metadata-ctl regen-metadata
  3. You can check that your configuration is correct with this command:

    mgrctl exec -- mgr-sign-metadata-ctl check-config
  4. Restart the services and schedule metadata regeneration to pick up the changes:

    mgrctl exec -- mgr-sign-metadata-ctl regen-metadata

You can also use the mgr-sign-metadata-ctl command to perform other tasks. Use mgr-sign-metadata-ctl --help to see the complete list.

Repository metadata signing is a global option. When it is enabled, it is enabled on all software channels on the server. This means that all clients connected to the server need to trust the new GPG key to be able to install or update packages.

Procedure: Importing GPG keys on Clients
  1. Deploying GPG keys to the clients works with salt states.

  2. Apply the highstate with the SUSE Manager Web UI.

For more information about troubleshooting GPG keys, see Troubleshooting Synchronization.