Environment
Open Enterprise Server 2018 (OES 2018) Linux
Situation
We have released the oes-build-key patch update to address this purpose. With the installation of this patch, it will add the new 4096bit key to the rpm keyring of the each OES server. As future updates of the OES packages will be signed with 4096bit key, this keyring is required for the installation of those OES packages to avoid any issues or warnings. The warning will look something like this:
Key ID: ################
Key Name: Micro Focus Build Service (Contact security@novell.com) <OESBuild@novell.com>
Key Fingerprint: ########################################
Key Created: Fri Jan 4 06:26:53 ####
Key Expires: Wed Jan 3 06:26:53 ####
Repository: OES2015-SP1-Updates
Resolution
Common Scenarios:
1. Existing OES servers in the customer environment post the release-of oes-build-key patch
Since OES2018-Updates and OES2015-SP1-Updates repos will have new keys, there will be a pop-up message shown to import the new keys to rpm keyring
- When the servers are updated with “yast2 online_updateâ€, there will be a pop-up shown to Import/Trust the Key and continue with the patch installation.
- When the servers are updated with “zypper patchâ€, the package-signing confirmation user-input message prompt is displayed, choose “aâ€/trust always option and continue with the patch installation.
2. New server(s) installation and channel registration post the release-of oes-build-key patch:
-This case is when a *new* server is installed and *newly* subscribed to channels (post the release of the oes-build-key patch). Since OES2018 updates or OES2015-SP1 updates repos will have new keys, there will be a pop-up message shown to import the new keys to rpm keyring
3. SUSE Manager: post the release-of oes-build-key patch:
- If SUSE manager is used for managing OES patches, then due to the new keys there will be error while mirroring .Follow the below to import new key and to avoid the errors:
- Run the spacewalk-repo-sync -c <any-OES-channels> command.
For example, spacewalk-repo-sync -c oes2015-sp1-pool-x86_64.
- When you are prompted to import the keys, import the keys and continue
Additional Information
How does it affect OES Servers?
There will a one-time pop-up during the patching of the OES servers, so user can proceed the patching by choosing the options to import/accept the key as mentioned in above section.
FAQ:
[1] If servers aren’t updated for the last 6/12months, does it affect when servers are patched post this oes-build-key patch?
Ans: All packages should get installed without any issues.
[3] Any other pop-up or warnings during the patch installation?
Ans: There will be no more pop-up once you accept/import the key but there might be running-warning during package installation in few cases if “oes-build-key†patch is not installed on the server:
3a) PTFs – Newly signed PTFs will show warning (as below) during each package installation,
3b) Manual package installation–Newly signed packages such as downloading directly from patch-finder/nu.novell.com will also show warning (as below) during their installation.
Installing: <package name> [done]
Additional rpm output:
warning: /var/cache/zypp/packages/dsd/rpm/x86_64/<package name>: Header V3 RSA/SHA256 signature: NOKEY, key ID 04881839
----------------------------------------------------------------------------------------------------------------------------------