Skip to content

Commit

Permalink
Use Katello API for GPG pub keys of custom content (#3380)
Browse files Browse the repository at this point in the history 
If you register a host that requires content from Foreman+Katello and
you have that content already synchronized to your Foreman+Katello
instance and that content is published unprotected, then you can use the
Katello API to get the associated GPG public key for Yum
repositories and the Pulp Deb Signing Key for Deb content.

Examples:

* Your host runs Debian 12 and needs "subscription-manager" from
  oss.atix.de and additional Deb repositories to satisfy all
  dependencies of "subscription-manager" and "katello-host-tools".
* Your host runs AlmaLinux 9 but has no internet access and no mounted
  ISO image. You will have to provide BaseOS, AppStream, and the Foreman
  Client repository through your Smart Proxy to enable offline host
  registration.

With GPG public keys, package managers can verify that the package has
not been tampered with by verifying the signature made by the OS/package
vendor. "apt" on Debian/Ubuntu verifies the meta data of repositories.
  • Loading branch information
@maximiliankolb
maximiliankolb authored Nov 13, 2024
1 parent 8b61d37 commit 90511ba
Showing 1 changed file with 12 additions and 0 deletions.
12 changes: 12 additions & 0 deletions guides/common/modules/proc_registering-a-host.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,18 @@ If an attacker, located in the network between {Project} and your host, fetches
Therefore, if you have chosen to deploy SSH keys during registration, the attacker will be able to access your host using the SSH key.
* On the *Advanced* tab, in the *Repositories* field, you can list repositories to be added before the registration is performed.
You do not have to specify repositories if you provide them in an activation key.
ifdef::orcharhino[]
ifdef::debian,ubuntu[]
+
To verify synchronized {client-content-type} content, you can use the `pulp_deb_signing.key` file on your {SmartProxy} as GPG public key.
For example, `\https://{foreman-example-com}/pub/pulp_deb_signing.key`.
endif::[]
ifndef::debian,ubuntu[]
+
To verify synchronized {client-content-type} content, you can use {Project} API to get associated GPG public keys of repositories.
For example, `\https://{foreman-example-com}/katello/api/v2/repositories/_My_Repository_ID_/gpg_key_content`.
endif::[]
endif::[]
* On the *Advanced* tab, in the *Token lifetime (hours)* field, you can change the validity duration of the JSON Web Token (JWT) that {Project} uses for authentication.
The duration of this token defines how long the generated registration command works.
+
Expand Down

0 comments on commit 90511ba

Please sign in to comment.