Looking to automate addition of repo and software in Dockerfile.
The goal is to automate snapd installation:
RUN zypper addrepo http://download.opensuse.org/repositories/system:/snappy/openSUSE_Leap_42.3/ snappy
RUN zypper install snapd
RUN systemctl enable --now snapd.socket
What I am missing is how to make zypper non-interactice, that checks that GPG key is valid. It is not about --no-gpg-check nor --gpg-auto-import-keys, but about non interactive import of known key.
You seem to assume that there is some database holding trusted gpg keys for obs repos. I doubt that there is such a thing. Most likely it is up the user to verify that the received key is valid. Hence, the non-interactive default is reject as the system cannot do the verification. If you do not want to auto-import keys, then you probably need to download the key, COPY it to the image and RUN some command to import it. Then it is a known key and the “received new key” message will not appear. That is, until the key expires
RUN zypper install -y curl
RUN curl -fsSL https://download.opensuse.org/repositories/system:/snappy/openSUSE_Leap_42.3/repodata/repomd.xml.key > /tmp/snappy.key
RUN rpm --import /tmp/snappy.key
RUN zypper addrepo http://download.opensuse.org/repositories/system:/snappy/openSUSE_Leap_42.3/ snappy
RUN zypper install -y snapd
RUN systemctl enable --now snapd.socket
I could hold whole body of GPG key in Dockerfile, but for now, fetching it with HTTPS will have to do. I am a bit surprised by online consensus to simply accept any key that is presented (with no gpg check or else). Kind of defies the purpose.
I agree. On the other hand, most keys need to be verified by the user, ie get trust level set manually. I think opensuse could use its keys (the ones used for installation) to sign obs repo keys and implement the logic to accept keys signed by already trusted keys. That would help. But I am not that much into pki stuff.