passbolt_help icon indicating copy to clipboard operation
passbolt_help copied to clipboard
verified publisher icon passbolt

avoid unsigned repository warning on SLES

Open dirkmueller opened this issue 1 year ago • 1 comments

when you execute the installation on SLES 15.6, you're getting the following error message on zypper ref:

ca398dea2018:~/backup # zypper ref
Refreshing service 'container-suseconnect-zypp'.
Repository 'SLE_BCI' is up to date.                                                                                                                                    
Looking for gpg key ID C155581D in cache /var/cache/zypp/pubkeys.
Looking for gpg key ID C155581D in repository Passbolt Server.
  gpgkey=https://download.passbolt.com/pub.key
Warning: File 'repomd.xml' from repository 'Passbolt Server' is signed with an unknown key 'DE8B853FC155581D'.

    Note: Signing data enables the recipient to verify that no modifications occurred after the data
    were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
    and in extreme cases even to a system compromise.

    Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
    whole repo.

    Warning: We can't verify that no one meddled with this file, so it might not be trustworthy
    anymore! You should not continue unless you know it's safe.

File 'repomd.xml' from repository 'Passbolt Server' is signed with an unknown key 'DE8B853FC155581D'.
Continue? [yes/no] (no):

This is a known quirk. zypper expects the key to be imported under the url $baseurl/repodata/repomd.xml.key which does not exist in that repository. alternatively, it looks for the key under /var/cache/zypp/pubkeys/ where we can preseed the key.

Here's a patch that does that:

--- passbolt-repo-setup.ce.sh        2024-05-07 18:35:49.388473815 +0000
+++ passbolt-repo-setup.ce.sh   2024-05-07 18:40:26.799447621 +0000
@@ -296,6 +296,10 @@
 EOF
   elif [ "${PACKAGE_MANAGER}" = "zypper" ]
   then
+    curl -sfL https://download.passbolt.com/pub.key -o /var/cache/zypp/pubkeys/gpg-pubkey-c155581d-624724e9.key
+    if ! gpg --disable-dirmngr --no-default-keyring --show-keys --with-fingerprint /var/cache/zypp/pubkeys/gpg-pubkey-c155581d-624724e9.key | grep -q "3D1A 0346 C8E1 802F 774A  EF21 DE8B 853F C155 581D" ; then
+         _error_exit "Unexpected fingerprint for passbolt repository"
+    fi
     cat << EOF | tee /etc/zypp/repos.d/passbolt.repo > /dev/null
 [passbolt-server]
 name=Passbolt Server

dirkmueller avatar May 07 '24 18:05 dirkmueller