zypper - non-interactive mode accepting only specific key

Hi folks,

Looking to automate addition of repo and software in Dockerfile.

The goal is to automate snapd installation:


RUN zypper addrepo http://download.opensuse.org/repositories/system:/snappy/openSUSE_Leap_42.3/ snappy
RUN zypper install snapd
RUN systemctl enable --now snapd.socket

What I am missing is how to make zypper non-interactice, that checks that GPG key is valid. It is not about --no-gpg-check nor --gpg-auto-import-keys, but about non interactive import of known key.


New repository or package signing key received:

  Repository:       snappy                                                      
  Key Name:         system:snappy OBS Project <system:snappy@build.opensuse.org>
  Key Fingerprint:  4F2FA05B 2C6589C3 FD12055E F7C6E425 ED340235                
  Key Created:      Fri Jul  8 09:02:38 2016                                    
  Key Expires:      Sun Sep 16 09:02:38 2018                                    
  Rpm Name:         gpg-pubkey-ed340235-577f6c2e                                


For security, I do not want to blindly accept any key.

You seem to assume that there is some database holding trusted gpg keys for obs repos. I doubt that there is such a thing. Most likely it is up the user to verify that the received key is valid. Hence, the non-interactive default is reject as the system cannot do the verification. If you do not want to auto-import keys, then you probably need to download the key, COPY it to the image and RUN some command to import it. Then it is a known key and the “received new key” message will not appear. That is, until the key expires :wink:

Ok, all I managed to do is this:


RUN zypper install -y curl
RUN curl -fsSL https://download.opensuse.org/repositories/system:/snappy/openSUSE_Leap_42.3/repodata/repomd.xml.key > /tmp/snappy.key
RUN rpm --import /tmp/snappy.key
RUN zypper addrepo http://download.opensuse.org/repositories/system:/snappy/openSUSE_Leap_42.3/ snappy
RUN zypper install -y snapd
RUN systemctl enable --now snapd.socket

I could hold whole body of GPG key in Dockerfile, but for now, fetching it with HTTPS will have to do. I am a bit surprised by online consensus to simply accept any key that is presented (with no gpg check or else). Kind of defies the purpose.

I agree. On the other hand, most keys need to be verified by the user, ie get trust level set manually. I think opensuse could use its keys (the ones used for installation) to sign obs repo keys and implement the logic to accept keys signed by already trusted keys. That would help. But I am not that much into pki stuff.

Hi,

I’m not really sure but iirc rpm can import the key from a remote site directly.