New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GPG keys for sync'd SLES products don't appear on channels nor are gpg checks enabled on clients for SLES repos #8563
Comments
Hey @EthanB11 |
SLES 15 for SAP, deploying salt clients. |
gpgcheck=1 require, that the metadata are signed. If you want full GPG check, you need to generate your own GPG key. |
Is there a log to check for the metadata regen? I kicked it off yesterday, but running the check-channels command stated nothing was signed yet.
…________________________________
From: Michael Calmer ***@***.***>
Sent: Sunday, May 5, 2024 7:16:29 AM
To: uyuni-project/uyuni ***@***.***>
Cc: Ethan Bonick ***@***.***>; Mention ***@***.***>
Subject: Re: [uyuni-project/uyuni] GPG keys for sync'd SLES products don't appear on channels nor are gpg checks enabled on clients for SLES repos (Issue #8563)
gpgcheck=1 require, that the metadata are signed.
As uyuni re-generate the metadata, it cannot sign them when it does not have a GPG key.
So our default is, to not check the metadata signature, but the RPM package signature.
This is done with gpgcheck=0 and pkg_gpgcheck=1 which should be the default.
You can check this when you call "zypper lr" on the client. It show what kind of GPG ckeck is done for every repo.
If you want full GPG check, you need to generate your own GPG key.
Follow https://www.uyuni-project.org/uyuni-docs/en/uyuni/administration/repo-metadata.html and it should change the type
to a full GPG check
—
Reply to this email directly, view it on GitHub<#8563 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AIKSRJHMEFFRBIK2355TQWDZAYPJ3AVCNFSM6AAAAABFX7F6VWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJUG44DIMZWGE>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
In addition I can see the GPG key defined in the repo file on the client, but the gpgcheck=0 has not changed to gpgcheck=1. |
Found bug 4965 and I tried the below with no signed metadata foobar:/var/cache/rhn/repodata # mgr-sign-metadata-ctl enable GENKEY
OK. Found key GENKEY in keyring.
OK. Key GENKEY is set in /etc/rhn/signing.conf.
OK. Metadata signing is enabled in /etc/rhn/rhn.conf.
OK. Key GENKEY was exported to /srv/susemanager/salt/gpg/mgr-keyring.gpg.
OK. Key GENKEY was exported to /srv/susemanager/salt/gpg/mgr-gpg-pub.key.
OK. Key GENKEY was exported to /srv/www/htdocs/pub/mgr-gpg-pub.key.
NOTE. For the changes to become effective run:
mgr-sign-metadata-ctl regen-metadata
For a channels that have regen'd metadata is not signed. ERROR. Channel rhel-x86_64-ha-9. Cached metadata is not signed.
ERROR. Channel rhel-x86_64-server-8. Cached metadata is not signed. |
Problem description
There is no visible way to enable GPG keys on sync'd products from SUSE. The channel list has Enable GPG Check enabled, but there is no GPG key URL, GPG key ID or GPG key Fingerprint filled out. Since these channels are managed in the backend of Uyuni and can't be edited under Channel management there seems to be no way to enable GPG on the clients which is a CIS benchmark check.
Security: GPG
GPG key URL(none entered)
GPG key ID(none entered)
GPG key Fingerprint(none entered)
Enable GPG Check
When checking the /etc/zypp/zypp.conf file it states:
Explicitly setting 'gpgcheck', 'repo_gpgcheck' 'pkg_gpgcheck' in a repositories .repo file will overwrite the defaults for this specific repo.
The repo files on client that are deployed from Uyuni all contain
gpgcheck=0
there by overriding any other configuration.Steps to reproduce
...
Uyuni version
Uyuni proxy version (if used)
No response
Useful logs
No response
Additional information
No response
The text was updated successfully, but these errors were encountered: