[opensuse] Repository keys and config management
Hello List, I'm just wondering how you deal with GPG keys when using config management. In my case, that's CFEngine, but I guess the issue would be quite similar with Puppet, Chef, or whatever you happen to be using. I can add required repositories simply by copying the .repo to /etc/zypp/repos.d. I can then install any packages via zypper, but only after the appropriate public key has been installed. Right now, I do this in a semi-manual way: The .repo and the packages are handled by CFEngine, but I need to call zypper ref once per machine and repository in order to import the key. This is feasible (but not elegant) because machines are installed with a fairly complete set of repositories from an image, and "extra" repositories typically are required only on a handful of clients. A solution I'd prefer woul look like this: -download the pubkey, once, on the policy server; -distribute it to the clients using CFEngine; -install away, again using CFE. Is there any way to do that? Thanks, A. -- Ansgar Esztermann Sysadmin Dep. Theoretical and Computational Biophysics http://www.mpibpc.mpg.de/grubmueller/esztermann
On Fri, May 15, 2020 at 10:21 AM Ansgar Esztermann-Kirchner <aeszter@mpibpc.mpg.de> wrote:
Hello List,
I'm just wondering how you deal with GPG keys when using config management. In my case, that's CFEngine, but I guess the issue would be quite similar with Puppet, Chef, or whatever you happen to be using.
I can add required repositories simply by copying the .repo to /etc/zypp/repos.d. I can then install any packages via zypper, but only after the appropriate public key has been installed. Right now, I do this in a semi-manual way: The .repo and the packages are handled by CFEngine, but I need to call zypper ref once per machine and repository in order to import the key.
This is feasible (but not elegant) because machines are installed with a fairly complete set of repositories from an image, and "extra" repositories typically are required only on a handful of clients.
A solution I'd prefer woul look like this: -download the pubkey, once, on the policy server; -distribute it to the clients using CFEngine; -install away, again using CFE.
Is there any way to do that?
Keys are kept in RPM database. There is no way around running some command to import keys. You can use "rpm --import" as alternative to zypper. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am Freitag, 15. Mai 2020, 09:21:27 CEST schrieb Ansgar Esztermann-Kirchner:
A solution I'd prefer woul look like this: -download the pubkey, once, on the policy server; -distribute it to the clients using CFEngine; -install away, again using CFE.
Hi Ansgar, the pubic key of the repository can be downloaded from the repository, it is located at repodata/repomd.xml.key So downloading the publick keys to your repo server should be doable, I guess. Importing to the rpm database on the client would work via rpm --import, as Andrej suggested earlier. Distributing with CFE is then your part anyway. You might need to consider the case when a repository gets a new key, though. /Andreas -- Time flies like an arrow. Fruit flies like a banana. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, May 16, 2020 at 03:04:20PM +0200, Andreas Mahel wrote:
Importing to the rpm database on the client would work via rpm --import, as Andrej suggested earlier.
That was the crucial part I've been missing -- how to handle the key on the client. I guess I'll need some intelligent application of rpm -q gpg-pubkey-xxxx as well in order to determine whether a given key needs to be imported. Thanks to both of you for your replies! A. -- Ansgar Esztermann Sysadmin Dep. Theoretical and Computational Biophysics http://www.mpibpc.mpg.de/grubmueller/esztermann
participants (3)
-
Andreas Mahel -
Andrei Borzenkov -
Ansgar Esztermann-Kirchner