How to import suse_key for signed PTF packages

This document (7016511) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Desktop 12
SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Desktop 15

Situation

While fixing OS issues, it might be needed to install a PTF (= Problem Temporary Fix) into a production system.

The packages SUSE provides are signed against a special PTF key.

This key is not imported by default on SLES 12 and SLES 15 systems, even though it is provided by the suse-build-key RPM package that is being installed automatically.

Error seen while installing a PTF patch using zypper:
Looking for gpg key ID B37B98A9 in cache /var/cache/zypp/pubkeys.
Repository Plain RPM files cache does not define additional 'gpgkey=' URLs.
<name of ptf file> (Plain RPM files cache): Signature verification failed [4-Signatures public key is not available]
Abort, retry, ignore? [a/r/i] (a): 

 

Resolution

In order to be able to install a PTF on SLES, this GPG key needs to be manually imported first. 

This can be achieved by issuing the following command:
rpm --import /usr/share/doc/packages/suse-build-key/suse_ptf_key.asc

In March 2022, SUSE exchanged the key to meet new security requirements. For those who had previously imported the GPG key, please update the suse-build-key package to its newest version and then import the new GPG key with "rpm --import /usr/share/doc/packages/suse-build-key/suse_ptf_key.asc"

The new GPG key's ID is 6F5DA62B:
pub   rsa2048/0x46DFA05C6F5DA62B 2022-02-25 [SC] [expires: 2026-02-24]
      Key fingerprint = 1604 494D 38DA 2FA7 AA26  97AE 46DF A05C 6F5D A62B
uid                   [ unknown] SUSE PTF Signing Key <support@suse.com>


For AutoYaST-driven installations, this behavior causes a problem as the PTF key signature is no longer contained in the initrd and needs to be loaded in addition. The following pre-install part for AutoYaST will show how to import the PTF key from a HTTP-source:
 
  <scripts>
    <pre-scripts config:type="list">
      <script>
        <interpreter>shell</interpreter>
        <filename>start.sh</filename>
        <source>
        <![CDATA[
#!/bin/sh
/usr/bin/rpm --import http://FQDN/path/suse_ptf_key.asc
]]>
        </source>
      </script>
    </pre-scripts>
  </scripts>

Additional Information

Please also visit TID 000018572 for "Best practices for applying Program Temporary Fixes (PTFs)".


NOTE on PTFs released before April 2022:

If a PTF from before April 2022 has to be installed, the old PTF signing key must be imported as well:

rpm --import /usr/share/doc/packages/suse-build-key/suse_ptf_key_old.asc

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7016511
  • Creation Date: 20-May-2015
  • Modified Date:25-Apr-2022
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center