Adding a Key to the SUSE Installer¶
For optimal security the SUSE installer verifies the integrity of the parts used for installation. This includes the installation media/repository, the individual software packages, as well as driver update media pulled from network locations. The verification is ultimately achieved using GPG signatures. The installer has a GPG key ring containing a list of known and trusted public keys. Any payloads signed with a key in the installer keyring is considered secure and trusted.
When adding custom or third party payloads like software packages or driver update images that have been signed with their own unique keys it’s required to add the public keys to the installer key ring. This document describes how to do that.
Obtain Public Key¶
When integrating a signed payload for use with installation of SUSE
products, the public key is required for verification. Usually the
public key is obtained from the same location as the signed item. When
signing the payload yourself, you will need to use gpg
to export the
public key based on the KEYID or USERID of the signing key as follows:
gpg --export --armor (KEYID or USERID)
If obtaining the key from a third party, it’s important to verify the integrity of that key. For instance when downloading a public key, make sure a secure and properly validated SSL connection from a trusted source is used. Validate the public key’s fingerprint using a trusted method.
Once you have the public key, it’s time to add it to the installer key ring as described in the following sections.
Extracting the Installer Keyring¶
The installer keyring is located on the installer initial ram disk or
initrd. This is located on the SUSE media under
boot/<arch>/loader/initrd
. The initrd image is a compressed cpio
archive. In SUSE Linux Enterprise 11 it is compressed using gzip
.
With SUSE Linux Enterprise 12 xz
compression is used.
Put a copy of the installer initrd into a working directory and from within that directory create an uncompressed copy:
SUSE Linux Enterprise 11:
zcat initrd > initrd.cpio
SUSE Linux Enterprise 12:
xzcat initrd > initrd.cpio
The installer keyring is located in a file named installkey.gpg
at
the base of the initrd file system To extract the installer keyring use
the following command:
cpio -i -F initrd.cpio installkey.gpg
At this point you should have a file named installkey.gpg in the current working directory. Inspect the contents of the keyring using the following command:
gpg --list-packets installkey.gpg
Show just the keyids:
gpg --list-packets installkey.gpg | grep keyid:
Add New Key to Keyring¶
Next we will add the new public key to the installer keyring. Adding a
key contained in the file mykey.gpg
is accomplished as follows:
gpg --import --no-default-keyring --keyring ./installkey.gpg mykey.gpg
Validate that they key has been imported by listing the key ids of the keyring:
gpg --list-packets installkey.gpg | grep keyid:
Adding the Updated Keyring to the Initrd¶
Finally we need to add the updated keyring to the initrd image. We do this by simply appending the new file to the end of the cpio image:
echo "installkey.gpg" | cpio -o -H newc -A -F initrd.cpio
The last step is to compress the initrd image:
SUSE Linux Enterprise 11:
gzip --best < initrd.cpio > initrd
SUSE Linux Enterprise 12:
xz --check=crc32 < initrd.cpio > initrd
That’s it! The updated initrd can now be used to initiate installation (e.g. via PXE) of SUSE Linux Enterprise Server or Desktop and validate additional packages or update media signed with custom keys.