From 90511bae30999298439f39768a127369b90882c4 Mon Sep 17 00:00:00 2001 From: Maximilian Kolb Date: Wed, 13 Nov 2024 12:41:37 +0100 Subject: [PATCH] Use Katello API for GPG pub keys of custom content (#3380) If you register a host that requires content from Foreman+Katello and you have that content already synchronized to your Foreman+Katello instance and that content is published unprotected, then you can use the Katello API to get the associated GPG public key for Yum repositories and the Pulp Deb Signing Key for Deb content. Examples: * Your host runs Debian 12 and needs "subscription-manager" from oss.atix.de and additional Deb repositories to satisfy all dependencies of "subscription-manager" and "katello-host-tools". * Your host runs AlmaLinux 9 but has no internet access and no mounted ISO image. You will have to provide BaseOS, AppStream, and the Foreman Client repository through your Smart Proxy to enable offline host registration. With GPG public keys, package managers can verify that the package has not been tampered with by verifying the signature made by the OS/package vendor. "apt" on Debian/Ubuntu verifies the meta data of repositories. --- guides/common/modules/proc_registering-a-host.adoc | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/guides/common/modules/proc_registering-a-host.adoc b/guides/common/modules/proc_registering-a-host.adoc index ccc08ccf9e..8da3bb47bc 100644 --- a/guides/common/modules/proc_registering-a-host.adoc +++ b/guides/common/modules/proc_registering-a-host.adoc @@ -67,6 +67,18 @@ If an attacker, located in the network between {Project} and your host, fetches Therefore, if you have chosen to deploy SSH keys during registration, the attacker will be able to access your host using the SSH key. * On the *Advanced* tab, in the *Repositories* field, you can list repositories to be added before the registration is performed. You do not have to specify repositories if you provide them in an activation key. +ifdef::orcharhino[] +ifdef::debian,ubuntu[] ++ +To verify synchronized {client-content-type} content, you can use the `pulp_deb_signing.key` file on your {SmartProxy} as GPG public key. +For example, `\https://{foreman-example-com}/pub/pulp_deb_signing.key`. +endif::[] +ifndef::debian,ubuntu[] ++ +To verify synchronized {client-content-type} content, you can use {Project} API to get associated GPG public keys of repositories. +For example, `\https://{foreman-example-com}/katello/api/v2/repositories/_My_Repository_ID_/gpg_key_content`. +endif::[] +endif::[] * On the *Advanced* tab, in the *Token lifetime (hours)* field, you can change the validity duration of the JSON Web Token (JWT) that {Project} uses for authentication. The duration of this token defines how long the generated registration command works. +