Use Your Own GPG Key

If the repositories you are using for autoinstallation have unsigned metadata, you usually have to use the insecure=1 kernel parameter as an option of the autoinstallable distribution, and use a spacewalk/sles_no_signature_checks code snippet in the AutoYaST installation file.

A safer alternative is to provide your own GPG key.

This technique applies to SUSE clients only.

Procedure: Include your own GPG key
  1. Create a GPG key.

  2. Use it to sign the package’s metadata.

  3. Add it to the initial RAM disk of your installation media.

When you signed the metadata with your new GPG key, any already onboarded client will not know about the new key. Ideally, you should sign the metadata before you register any client.

For already onboarded clients that use those repositories, the workaround is to disable GPG key checking on them.

1. Own GPG Key for PXE Boot

The initial RAM disk (initrd) used by PXE boot process normally contains SUSE’s GPG key only. You must add our own key to this file, so it can be used to check the packages.

Procedure: Add a GPG key to the initial RAM disk
  1. Create a directory with a path identical to the one that is used during the boot process to find the GPG key:

    mkdir -p tftproot/usr/lib/rpm/gnupg/keys
  2. Copy your GPG key into this directory with the suffix .asc:

    cp /srv/www/htdocs/pub/mgr-gpg-pub.key tftproot/usr/lib/rpm/gnupg/keys/mgr-gpg-pub.asc
  3. Inside the top level directory, package the content and append it to the initrd that is part of your installation media files:

    cd tftproot
    find . | cpio -o -H newc | xz --check=crc32 -c >> /path/to/initrd

2. Own GPG key in a CD-ROM

You can modify an installation image with the mksusecd utility. This utility is contained in the Development Tools module.

Procedure: Add a GPG key to an Installation ISO image
  1. Create a directory with a path identical to the one that is used during the boot process to find the GPG key:

    mkdir -p initrdroot/usr/lib/rpm/gnupg/keys
  2. Copy your GPG key into this directory with the suffix .asc:

    cp /srv/www/htdocs/pub/mgr-gpg-pub.key initrdroot/usr/lib/rpm/gnupg/keys/mgr-gpg-pub.asc
  3. Amend the existing ISO image with mksusecd:

    mksusecd --create <new-image>.iso --initrd initrdroot/ <old-image>.iso