On viernes, 24 de abril de 2020 17:31:32 (CEST) Tobias Crefeld wrote:
Am Fri, 24 Apr 2020 15:46:20 +0200
schrieb Julio González Gil <jgonzalez@suse.com>:
So I think you need something similar to:
https://www.uyuni-project.org/uyuni-docs/uyuni/client-configuration/client s-opensuse.html#_trust_gpg_keys_on_clients
If I am not wrong, the key from PackageHub should be uploaded to /srv/www/ htdocs/pub
Haven't fully understood this advice as yet but I keep trying.
Basically I think this can be fixed by one of the following alternatives: a) Bootstrap script Copy the packagehub gpg key file to /srv/www/htdocs/pub at the server. Thenk you can add it to the bootstrap script (there's a variable for that) and that should add the gpg key to the clients you bootstrap, therefore they will trust the packages fro the Package Hub. b) Salt state As an alternative (or only option if you bootstrap from WebUI), you can create a salt state to send the GPG file to the clients, and to trust it on such clients. This would work even for onboarded clients as you can apply the state.
@doc team, shouldn't we describe how to trust GPG keys for third party repositories at the clients? I can't see it at https://www.uyuni-project.org/ uyuni-docs/uyuni/administration/custom-channels.html
Actually my expectation is that a channel that is provided via "Admin / Setup Wizard / Products" redistributes the respective GPG-key as well.
I am pretty sure this was discussed in the past, and IIRC the conclusion was that this could be insecure, and that if the base OS doesn't trust a GPG (such is this case as SLE doesn't trust the GPG key for PackageHub by default: https://packagehub.suse.com/how-to-use/), then trusting it on clients should not be transparent for the Uyuni administrator as otherwise the administrator wouldn't notice what's going. As this comes provided by SCC, the question is if SLE should trust this key by default. But that's not something Uyuni can fix on its side. Of course, with enough changes to the code, maybe Uyuni could assume that if a repository came from SCC the key must be accepted on reposync, and then it should the passed to the clients and trusted on the clients. But I'd say that's not really trivial (our developers should tell). So at least for short term, the solution is the highstate/change to the bootstrap script, and IMHO it should be part of the official doc.
Writing this I remember that I already had some problems with this channel earlier during the initial setup of Uyuni. The resolution was a manual call
spacewalk-repo-sync -c suse-packagehub-15-x86_64
with an dialogue if I want to import the GPG-key.
Same as above, yes. In this case it's the Uyuni Server the one that doesn't trust the key as it considers the package hub as a third party repository, just as SLE and openSUSE do. -- Julio González Gil Release Engineer, SUSE Manager and Uyuni jgonzalez@suse.com