Use Your Own GPG Key
If the repositories you are using for autoinstallation have unsigned metadata, you usually have to use the insecure=1
kernel parameter as an option of the autoinstallable distribution, and use a spacewalk/sles_no_signature_checks
code snippet in the AutoYaST installation file.
A safer alternative is to provide your own GPG key.
This technique applies to SUSE clients only. |
-
Create a GPG key.
-
Use it to sign the package’s metadata.
-
Add it to the initial RAM disk of your installation media.
-
To copy GPG keys to the container use
mgradm gpg add
. This command copies the GPG key and adds it to the customer keyring. -
Run command
mgradm restart
. This command creates a unique keyring using the SUSE and the customer keyring.
When you signed the metadata with your new GPG key, any already onboarded client will not know about the new key. Ideally, you should sign the metadata before you register any client. For already onboarded clients that use those repositories, the workaround is to disable GPG key checking on them. |