Documentation feedback on /docs/install/redhat.rst (SUSE support)

[amotl]

Hi again. Coming from GH-71, we wanted to report that installation on SUSE and derivates fails with an error about signing.

Problem

zypper --plus-content=cratedb-ce-stable install -y crate

Temporarily enabling repository 'CrateDB RPM package repository - x86_64 - Stable'. [--plus-content]
Warning: File 'repomd.xml' from repository 'CrateDB RPM package repository - x86_64 - Stable' is unsigned.

    Note: Signing data enables the recipient to verify that no modifications occurred after the data
    were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
    and in extreme cases even to a system compromise.

    Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
    whole repo.

    Warning: We can't verify that no one meddled with this file, so it might not be trustworthy
    anymore! You should not continue unless you know it's safe.

Repository 'CrateDB RPM package repository - x86_64 - Stable' is invalid.
[cratedb-ce-stable|https://cdn.crate.io/downloads/yum/7/x86_64] Valid metadata not found at specified URL
History:
 - Signature verification failed for repomd.xml

[amotl]

@matriv suggested:

Isn't there a way for Suse to skip this verification, and only verify the package itself?
The signing of the repo data is optional (at least for Centos and Redhat).

[amotl]

There is a corresponding setting, right. It is called repo_gpgcheck=0, or, alternatively, use the zypper parameter --gpgcheck-allow-unsigned-repo.

• zypper_repository: Add option to allow repository metadata to be unsigned ansible-collections/community.general#2519

[amotl]

Problem

When adding repo_gpgcheck=0 to /etc/zypp/repos.d/cratedb.repo, there is an error:

Signature verification failed [4-Signatures public key is not available]

Solution

Public key must be imported upfront.

rpm --import https://cdn.crate.io/downloads/yum/RPM-GPG-KEY-crate

zypper parameter --gpg-auto-import-keys did not work.

References

• Add option--gpg-auto-import-keys to salt/modules/zypper.py saltstack/salt#21507
• Always ignore unsigned 'repomd.xml' files  openSUSE/zypper#70
• allow to specify key id like --gpg-auto-import-key-id 1234asdf-1234asdf openSUSE/zypper#401
• zypper_repository: Add option to allow repository metadata to be unsigned ansible-collections/community.general#2519
• https://foursixnine.io/blog/linux/tech/2020/05/07/How-to-import-a-gpg-key-on-zypper-(openSUSE).html
• https://forums.opensuse.org/t/installing-public-signing-keys-automatically/136895
• https://forums.opensuse.org/t/zypper-refresh-not-automatically-importing-repository-signing-key-even-with-gpg-auto-import-keys-o/129240

Details

zypper --plus-content=cratedb-ce-stable install -y crate

Temporarily enabling repository 'CrateDB RPM package repository - x86_64 - Stable'. [--plus-content]
Retrieving repository 'CrateDB RPM package repository - x86_64 - Stable' metadata ........................................................................................................[done]
Building repository 'CrateDB RPM package repository - x86_64 - Stable' cache .............................................................................................................[done]
Loading repository data...
Reading installed packages...
Resolving package dependencies...

The following NEW package is going to be installed:
  crate

1 new package to install.
Overall download size: 127.0 MiB. Already cached: 0 B. After the operation, additional 235.1 MiB will be used.

Backend:  classic_rpmtrans
Continue? [y/n/v/...? shows all options] (y): y
Retrieving: crate-5.7.0-1.x86_64 (CrateDB RPM package repository - x86_64 - Stable)                                                                                         (1/1), 127.0 MiB
Retrieving: crate-5.7.0-1.x86_64.rpm .........................................................................................................................................[done (6.0 MiB/s)]
crate-5.7.0-1.x86_64.rpm:
    Header V4 RSA/SHA256 Signature, key ID 7faae51a06f6eaeb: NOKEY
    V4 RSA/SHA256 Signature, key ID 7faae51a06f6eaeb: NOKEY

warning: /var/tmp/AP_0xML3p6q/crate-5.7.0-1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 06f6eaeb: NOKEY
Looking for gpg key ID 06F6EAEB in cache /var/cache/zypp/pubkeys.
Looking for gpg key ID 06F6EAEB in repository CrateDB RPM package repository - x86_64 - Stable.
  gpgkey=https://cdn.crate.io/downloads/yum/RPM-GPG-KEY-crate
Retrieving: RPM-GPG-KEY-crate ...........................................................................................................................................................[error]
crate-5.7.0-1.x86_64 (CrateDB RPM package repository - x86_64 - Stable): Signature verification failed [4-Signatures public key is not available]
Abort, retry, ignore? [a/r/i] (a): a
Problem occurred during or after installation or removal of packages:
Installation has been aborted as directed.
Please see the above error message for a hint.

[amotl]

CrateDB on SUSE in a nutshell.

Use that config in /etc/zypp/repos.d/cratedb.repo.

[cratedb-ce-stable]
name=CrateDB RPM package repository - $basearch - Stable
baseurl=https://cdn.crate.io/downloads/yum/7/$basearch
enabled=0
gpgcheck=1
repo_gpgcheck=0
gpgkey=https://cdn.crate.io/downloads/yum/RPM-GPG-KEY-crate
autorefresh=1
type=rpm-md

[cratedb-ce-testing]
name=CrateDB RPM package repository - $basearch - Testing
baseurl=https://cdn.crate.io/downloads/yum/testing/7/$basearch
enabled=0
gpgcheck=1
repo_gpgcheck=0
gpgkey=https://cdn.crate.io/downloads/yum/RPM-GPG-KEY-crate
autorefresh=1
type=rpm-md

Use that command to import the public GPG key, in order to make signature validation work.

rpm --import https://cdn.crate.io/downloads/yum/RPM-GPG-KEY-crate

Finally, use those commands to install and start CrateDB.

zypper --plus-content=cratedb-ce-stable install -y crate
systemctl start crate

[matriv]

Thx a lot @amotl, see: https://github.com/crate/distribute/pull/680

[amotl]

Excellent. Thanks for adding software tests!