Results 1 to 5 of 5

Thread: zypper - non-interactive mode accepting only specific key

  1. #1

    Default zypper - non-interactive mode accepting only specific key

    Hi folks,

    Looking to automate addition of repo and software in Dockerfile.

    The goal is to automate snapd installation:

    Code:
    RUN zypper addrepo http://download.opensuse.org/repositories/system:/snappy/openSUSE_Leap_42.3/ snappy
    RUN zypper install snapd
    RUN systemctl enable --now snapd.socket
    What I am missing is how to make zypper non-interactice, that checks that GPG key is valid. It is not about --no-gpg-check nor --gpg-auto-import-keys, but about non interactive import of known key.

    Code:
    New repository or package signing key received:
    
      Repository:       snappy                                                      
      Key Name:         system:snappy OBS Project <system:snappy@build.opensuse.org>
      Key Fingerprint:  4F2FA05B 2C6589C3 FD12055E F7C6E425 ED340235                
      Key Created:      Fri Jul  8 09:02:38 2016                                    
      Key Expires:      Sun Sep 16 09:02:38 2018                                    
      Rpm Name:         gpg-pubkey-ed340235-577f6c2e
    For security, I do not want to blindly accept any key.

  2. #2

    Default Re: zypper - non-interactive mode accepting only specific key

    You seem to assume that there is some database holding trusted gpg keys for obs repos. I doubt that there is such a thing. Most likely it is up the user to verify that the received key is valid. Hence, the non-interactive default is reject as the system cannot do the verification. If you do not want to auto-import keys, then you probably need to download the key, COPY it to the image and RUN some command to import it. Then it is a known key and the "received *new* key" message will not appear. That is, until the key expires

  3. #3

    Default Re: zypper - non-interactive mode accepting only specific key

    Quote Originally Posted by markdd View Post
    You seem to assume that there is some database holding trusted gpg keys for obs repos. I doubt that there is such a thing. Most likely it is up the user to verify that the received key is valid. Hence, the non-interactive default is reject as the system cannot do the verification. If you do not want to auto-import keys, then you probably need to download the key, COPY it to the image and RUN some command to import it. Then it is a known key and the "received *new* key" message will not appear. That is, until the key expires
    Ok, all I managed to do is this:

    Code:
    RUN zypper install -y curl
    RUN curl -fsSL https://download.opensuse.org/repositories/system:/snappy/openSUSE_Leap_42.3/repodata/repomd.xml.key > /tmp/snappy.key
    RUN rpm --import /tmp/snappy.key
    RUN zypper addrepo http://download.opensuse.org/repositories/system:/snappy/openSUSE_Leap_42.3/ snappy
    RUN zypper install -y snapd
    RUN systemctl enable --now snapd.socket
    I could hold whole body of GPG key in Dockerfile, but for now, fetching it with HTTPS will have to do. I am a bit surprised by online consensus to simply accept any key that is presented (with no gpg check or else). Kind of defies the purpose.

  4. #4

    Default Re: zypper - non-interactive mode accepting only specific key

    I agree. On the other hand, most keys need to be verified by the user, ie get trust level set manually. I think opensuse could use its keys (the ones used for installation) to sign obs repo keys and implement the logic to accept keys signed by already trusted keys. That would help. But I am not that much into pki stuff.

  5. #5

    Default Re: zypper - non-interactive mode accepting only specific key

    Hi,

    I'm not really sure but iirc rpm can import the key from a remote site directly.
    "Unfortunately time is always against us" -- [Morpheus]

    .:https://github.com/Jetchisel:.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •