SolidDriver User Guide

Signing Update Media

When the SUSE installer pulls update media (aka Driver Update Disk or DUD) from a network location, it will check for a digital signature that can be validated with a known key. Without a signature, the integrity of the update payload nor it’s network based origin can not be validated or considered secure.

If the update media is not signed, a warning will be issued to the user asking to abort the installation or continue in an insecure mode.

If the update media is signed, but the signature can’t be verified with a known public key, the installation will be aborted.

To skip the signature verifications, the installation option insecure=1 can be used. For more information on the insecure option see the linuxrc documentation.

Signing of the update media can be done using the gpg command. The following steps are required:

  1. Generate a GnuPG keypair
  2. Create a detached signature of the update media

If keypair already exists for signing, the first step can be skipped.

Generate a GnuPG Keypair

A GnuPG keypair consists of the private and public keys. To generate a keypair, proceed as follows:

  1. Type the following command as root on the shell prompt:

     gpg --gen-key
  2. The command will prompt for key type. Choose option (2) DSA and ElGamal. This allows you to create a digital signature and encrypt/decrypt with two types of technologies.

  3. Choose the key size. The longer the key, the more resistant against attacks the messages are. Creating a key of at least 2048 bits in size is recommended.

  4. Next, specify how long the key needs to be valid. When choosing an expiration date, remember that anyone using the public key must also be informed of the expiration and supplied with a new public key. We recommended to not select an expiration date. If you do not specify an expiration date, you are asked to confirm that the key should not expire.

  5. In the next steps, provide a User-ID containing your name, your email address, and an optional comment. When finished, you are presented with a summary of the information you entered. Accept your choices and enter a passphrase.

NOTE: A good passphrase is essential for optimal security in GnuPG. Mix your passphrase with uppercase and lowercase letters, use numbers or punctuation marks.

  1. Once you enter and verify your passphrase, the keys are generated. A message will ask you to move the mouse or otherwise interact with the system to generate random data for the key. This part of the key generation process may take several minutes. When the activity on the screen ceases, your new keys are placed in the directory .gnupg in root’s home directory. This is the default location for keys generated by the root user.

To list the root keys, use the gpg --list-keys command.

Signing the Update Media

Once a GnuPG keypair has been created, gpg can be used to sign files. In this case we will create a detached signature of the update media. The update media in this example resides on an ISO image with the file name my_dud.iso.

Use the following command to create the signature:

gpg --detach-sign --armor my_dud.iso

This will create a detached signature in a file called my_dud.iso.asc. The signature should be placed in the same location as the update media so that the installer will find it.

NOTE: *In order for the installer to identify the signature and the file its signing, the name of the signature must be the same as the signed file with the addition of the .asc extension.

Signature Verification

In order for the installer to verify the signature, the public key of the signing keypair must exist in the installer keyring. See the next section Adding a Key to the SUSE Installer section for instructions on how to do that.