Adding a Key to the SUSE Installer¶

For optimal security the SUSE installer verifies the integrity of the parts used for installation. This includes the installation media/repository, the individual software packages, as well as driver update media pulled from network locations. The verification is ultimately achieved using GPG signatures. The installer has a GPG key ring containing a list of known and trusted public keys. Any payloads signed with a key in the installer keyring is considered secure and trusted.

When adding custom or third party payloads like software packages or driver update images that have been signed with their own unique keys it’s required to add the public keys to the installer key ring. This document describes how to do that.

Obtain Public Key¶

When integrating a signed payload for use with installation of SUSE products, the public key is required for verification. Usually the public key is obtained from the same location as the signed item. When signing the payload yourself, you will need to use gpg to export the public key based on the KEYID or USERID of the signing key as follows:

gpg --export --armor (KEYID or USERID)

If obtaining the key from a third party, it’s important to verify the integrity of that key. For instance when downloading a public key, make sure a secure and properly validated SSL connection from a trusted source is used. Validate the public key’s fingerprint using a trusted method.

Once you have the public key, it’s time to add it to the installer key ring as described in the following sections.

Extracting the Installer Keyring¶

The installer keyring is located on the installer initial ram disk or initrd. This is located on the SUSE media under boot/<arch>/loader/initrd. The initrd image is a compressed cpio archive. In SUSE Linux Enterprise 11 it is compressed using gzip. With SUSE Linux Enterprise 12 xz compression is used.

Put a copy of the installer initrd into a working directory and from within that directory create an uncompressed copy:

SUSE Linux Enterprise 11:

zcat initrd > initrd.cpio

SUSE Linux Enterprise 12:

xzcat initrd > initrd.cpio

The installer keyring is located in a file named installkey.gpg at the base of the initrd file system To extract the installer keyring use the following command:

cpio -i -F initrd.cpio installkey.gpg

At this point you should have a file named installkey.gpg in the current working directory. Inspect the contents of the keyring using the following command:

gpg --list-packets installkey.gpg

Show just the keyids:

gpg --list-packets installkey.gpg | grep keyid:

Add New Key to Keyring¶

Next we will add the new public key to the installer keyring. Adding a key contained in the file mykey.gpg is accomplished as follows:

gpg --import --no-default-keyring --keyring ./installkey.gpg mykey.gpg

Validate that they key has been imported by listing the key ids of the keyring:

gpg --list-packets installkey.gpg | grep keyid:

Adding the Updated Keyring to the Initrd¶

Finally we need to add the updated keyring to the initrd image. We do this by simply appending the new file to the end of the cpio image:

echo "installkey.gpg" | cpio -o -H newc -A -F initrd.cpio

The last step is to compress the initrd image:

SUSE Linux Enterprise 11:

gzip --best < initrd.cpio > initrd

SUSE Linux Enterprise 12:

xz --check=crc32 < initrd.cpio > initrd

That’s it! The updated initrd can now be used to initiate installation (e.g. via PXE) of SUSE Linux Enterprise Server or Desktop and validate additional packages or update media signed with custom keys.