Importing third-party and custom repository GPG keys

SUSE Multi-Linux Manger 5.x

GPG keys manually imported from third-party and custom repositories are lost after the MLM server container is restarted.

Errors similar to the following may be observed in the synchronization logs for third-party or custom repositories:

RepoMDError: Cannot access repository.
Repository 'ibm-power-tools-ppc64le-sap-sp5' is invalid.
[ibm-power-tools-ppc64le-sap-sp5|https://public.dhe.ibm.com/software/server/POWER/Linux/yum/OSS/SLES/15/ppc64le/] Failed to retrieve new repository metadata.
History:
- Signature verification failed for repomd.xml
Please check if the URIs defined for this repository are pointing to a valid repository.
Skipping repository 'ibm-power-tools-ppc64le-sap-sp5' because of the above error.
Could not refresh the repositories because of errors.

To import a GPG key, use the following command syntax, executing the command on the MLM host server :

# mgradm gpg add <path-to-gpg-key-file-or-URL>

Example of adding a GPG key from a file: 

# mgradm gpg add repomd.xml.key

Example of adding a GPG key from a remote repository using a URL:

# mgradm gpg add https://public.dhe.ibm.com/software/server/POWER/Linux/yum/OSS/SLES/15/ppc64le/repodata/repomd.xml.key

The process for handling third-party and customer GPG keys has changed from the methods used in previous versions.

When the Multi-Linux Manager product was containerized, several areas of the directory structure were intentionally changed to become volatile. Therefore any files in these areas are lost after the current container instance is shut down or restarted. One of the directory areas affected was the location that was previously used to hold the database containing imported third-party and custom GPG keys.

The Multi-Linux Manager product includes the ability to synchronize the content of optional third-party repositories with some of the products that can be managed by MLM.

Some third party GPG keys are included by default in the MLM database and some are not included. For those third-party keys that are not included, it will be necessary to use the 'mgradm gpg add <path-to-gpg-key-file-or-URL>' command to import the relevant keys when choosing to synchronize such third-party repositories.

To list the keys currently held in the MLM GPG database, the following command can be used from inside the MLM server container:

# gpg --homedir /var/lib/spacewalk/gpgdir --list-keys