GPG Keys

Clients use GPG keys to check the authenticity of software packages before they are installed. Only trusted software can be installed on clients.

In most cases, you do not need to adjust the GPG settings to be able to install software on your clients.

By default, operating systems trust only their own GPG keys when they are installed, and do not trust keys provided by third party packages. The clients can be successfully bootstrapped without the GPG key being trusted. However, you cannot install new client tool packages or update them until the keys are trusted.

Salt clients are set to trust SUSE tools channels GPG keys when they are bootstrapped. For all other clients and channels, you need to manually trust third party GPG keys.

If you are bootstrapping Salt clients from the SUSE Manager Web UI, you can use a Salt state to trust the key. For more information on custom Salt states, see Custom Salt States.
Procedure: Trusting GPG Keys on Clients Using a Bootstrap Script

  1. On the SUSE Manager Server, at the command prompt, check the contents of the /srv/www/htdocs/pub/ directory. This directory contains all available public keys. Take a note of the key that applies to the channel assigned to the client you are registering.

  2. Open the relevant bootstrap script, locate the ORG_GPG_KEY= parameter and add the required key. For example:

    uyuni-gpg-pubkey-0d20833e.key

    You do not need to delete any previously stored keys.

Trusting a GPG key is important for security on clients. It is the task of the admin to decide which keys are needed and can be trusted. Trusting the key is done manually, either by writing a Salt state or adding the keys to the bootstrap script.