GPG keys for sync'd SLES products don't appear on channels nor are gpg checks enabled on clients for SLES repos

[EthanB11]

Problem description

There is no visible way to enable GPG keys on sync'd products from SUSE. The channel list has Enable GPG Check enabled, but there is no GPG key URL, GPG key ID or GPG key Fingerprint filled out. Since these channels are managed in the backend of Uyuni and can't be edited under Channel management there seems to be no way to enable GPG on the clients which is a CIS benchmark check.

Security: GPG
GPG key URL(none entered)
GPG key ID(none entered)
GPG key Fingerprint(none entered)
Enable GPG Check

When checking the /etc/zypp/zypp.conf file it states: Explicitly setting 'gpgcheck', 'repo_gpgcheck' 'pkg_gpgcheck' in a repositories .repo file will overwrite the defaults for this specific repo.

The repo files on client that are deployed from Uyuni all contain gpgcheck=0 there by overriding any other configuration.

Steps to reproduce

1. Sync SLES product
2. Deploy client
3. Check GPG enablement
   ...

Uyuni version

Information for package Uyuni-Server-release:
---------------------------------------------
Repository     : Uyuni Server Stable
Name           : Uyuni-Server-release
Version        : 2024.02-230900.213.1.uyuni3
Arch           : x86_64
Vendor         : obs://build.opensuse.org/systemsmanagement:Uyuni
Support Level  : Level 3
Installed Size : 1.4 KiB
Installed      : Yes
Status         : up-to-date
Source package : Uyuni-Server-release-2024.02-230900.213.1.uyuni3.src
Summary        : Uyuni Server
Description    :
    Uyuni lets you efficiently manage physical, virtual,
    and cloud-based Linux systems. It provides automated and cost-effective
    configuration and software management, asset management, and system
    provisioning.

Uyuni proxy version (if used)

No response

Useful logs

No response

Additional information

No response

[avshiliaev]

Hey @EthanB11
thanks for the report. What SLES products are you syncing? Do you deploy traditional clients?

[EthanB11]

SLES 15 for SAP, deploying salt clients.

[mcalmer]

gpgcheck=1 require, that the metadata are signed.
As uyuni re-generate the metadata, it cannot sign them when it does not have a GPG key.
So our default is, to not check the metadata signature, but the RPM package signature.
This is done with gpgcheck=0 and pkg_gpgcheck=1 which should be the default.
You can check this when you call "zypper lr" on the client. It show what kind of GPG ckeck is done for every repo.

If you want full GPG check, you need to generate your own GPG key.
Follow https://www.uyuni-project.org/uyuni-docs/en/uyuni/administration/repo-metadata.html and it should change the type
to a full GPG check

[EthanB11]

Is there a log to check for the metadata regen? I kicked it off yesterday, but running the check-channels command stated nothing was signed yet.

…

________________________________ From: Michael Calmer ***@***.***> Sent: Sunday, May 5, 2024 7:16:29 AM To: uyuni-project/uyuni ***@***.***> Cc: Ethan Bonick ***@***.***>; Mention ***@***.***> Subject: Re: [uyuni-project/uyuni] GPG keys for sync'd SLES products don't appear on channels nor are gpg checks enabled on clients for SLES repos (Issue #8563) gpgcheck=1 require, that the metadata are signed. As uyuni re-generate the metadata, it cannot sign them when it does not have a GPG key. So our default is, to not check the metadata signature, but the RPM package signature. This is done with gpgcheck=0 and pkg_gpgcheck=1 which should be the default. You can check this when you call "zypper lr" on the client. It show what kind of GPG ckeck is done for every repo. If you want full GPG check, you need to generate your own GPG key. Follow https://www.uyuni-project.org/uyuni-docs/en/uyuni/administration/repo-metadata.html and it should change the type to a full GPG check — Reply to this email directly, view it on GitHub<#8563 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AIKSRJHMEFFRBIK2355TQWDZAYPJ3AVCNFSM6AAAAABFX7F6VWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJUG44DIMZWGE>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[EthanB11]

In addition I can see the GPG key defined in the repo file on the client, but the gpgcheck=0 has not changed to gpgcheck=1.

[EthanB11]

Found bug 4965 and I tried the below with no signed metadata

foobar:/var/cache/rhn/repodata # mgr-sign-metadata-ctl enable GENKEY
OK. Found key GENKEY in keyring.
OK. Key GENKEY is set in /etc/rhn/signing.conf.
OK. Metadata signing is enabled in /etc/rhn/rhn.conf.
OK. Key GENKEY was exported to /srv/susemanager/salt/gpg/mgr-keyring.gpg.
OK. Key GENKEY was exported to /srv/susemanager/salt/gpg/mgr-gpg-pub.key.
OK. Key GENKEY was exported to /srv/www/htdocs/pub/mgr-gpg-pub.key.

NOTE. For the changes to become effective run:
   mgr-sign-metadata-ctl regen-metadata

1. spacewalk-service stop
2. rm -rf /var/cache/rhn/repodata/*
3. spacewalk-service start
4. mgr-sign-metadata-ctl regen-metadata
5. mgr-sign-metadata-ctl check-channels

For a channels that have regen'd metadata is not signed.

ERROR. Channel rhel-x86_64-ha-9. Cached metadata is not signed.
ERROR. Channel rhel-x86_64-server-8. Cached metadata is not signed.