OES Server Updates Prompting for Install of new RPM Keyring

  • 7023680
  • 28-Jan-2019
  • 23-Feb-2019

Environment

Open Enterprise Server 2015 (OES 2015) Linux Support Pack 1
Open Enterprise Server 2018 (OES 2018) Linux

Situation

Due to an upgrade of the package-signing key from 2048bit to 4096bit (RSA based GPG keys), OES users might see new warnings during the patch updates as explained in this document.

We have released the oes-build-key patch update to address this purpose. With the installation of this patch, it will add the new 4096bit key to the rpm keyring of the each OES server. As future updates of the OES packages will be signed with 4096bit key, this keyring is required for the installation of those OES packages to avoid any issues or warnings.  The warning will look something like this:
 
New repository or package signing key received:
Key ID: ################
Key Name: Micro Focus Build Service (Contact security@novell.com) <OESBuild@novell.com>
Key Fingerprint: ########################################
Key Created: Fri Jan  4 06:26:53 ####
Key Expires: Wed Jan  3 06:26:53 ####
Repository: OES2015-SP1-Updates
Do you want to reject the key, trust temporarily, or trust always? [r/t/a/? shows all options] (r):

Resolution

The Situation headings are included here to identify specific solutions:

Common Scenarios:

1.  Existing OES servers in the customer environment post the release-of oes-build-key patch
Since OES2018-Updates and OES2015-SP1-Updates repos will have new keys, there will be a pop-up message shown to import the new keys to rpm keyring

    - When the servers are updated with “yast2 online_updateâ€, there will be a pop-up shown to Import/Trust the Key and continue with the patch installation.
    -  When the servers are updated with “zypper patchâ€, the package-signing confirmation user-input message prompt is displayed, choose “aâ€/trust always option and continue with the patch installation.

2. New server(s) installation and channel registration post the release-of oes-build-key patch:
     -This case is when a *new* server is installed and *newly* subscribed to channels (post the release of the oes-build-key patch). Since OES2018 updates or OES2015-SP1 updates repos will have new keys, there will be a pop-up message shown to import the new keys to rpm keyring

3. SUSE Manager: post the release-of oes-build-key patch:
     -
If SUSE manager is used for managing OES patches, then due to the new keys there will be error while mirroring .Follow the below to import new key and to avoid the errors:

 - Run the spacewalk-repo-sync -c <any-OES-channels> command.
     For example, spacewalk-repo-sync -c oes2015-sp1-pool-x86_64.
 - When you are prompted to import the keys, import the keys and continue

Additional Information

How does it affect OES Servers?

There will a one-time pop-up during the patching of the OES servers, so user can proceed the patching by choosing the options to import/accept the key as mentioned in above section.


FAQ:

[1] If servers aren’t updated for the last 6/12months, does it affect when servers are patched post this oes-build-key patch? 

Ans: All packages should get installed without any issues.
[2] If servers aren’t updated for the last 6/12months, does it affect when servers are patched in future?  (i.e. next bimonthly patches, Ex: patching in April2019)
 Ans: All packages should get installed without any issues.

[3] Any other pop-up or warnings during the patch installation?
Ans: There will be no more pop-up once you accept/import the key but there might be running-warning during package installation in few cases if “oes-build-key†patch is not installed on the server:

 3a) PTFs – Newly signed PTFs will show warning (as below) during each package installation,
 3b) Manual package installation–Newly signed packages such as downloading directly from patch-finder/nu.novell.com will also show warning (as below) during their installation.
-------------------------------------------- Sample warning----------------------------------------------------------------
Installing: <package name> [done]
Additional rpm output:
warning: /var/cache/zypp/packages/dsd/rpm/x86_64/<package name>: Header V3 RSA/SHA256 signature: NOKEY, key ID 04881839
----------------------------------------------------------------------------------------------------------------------------------