UNCLASSIFIED - NO CUI

Skip to content

Resolve "gpgcheck needs to be enabled in SLEBCI repo overlay"

David Freeman requested to merge 763-slebci-gpgcheck-enable into master

Merge Request Description

The update made in !1106 (merged) did not address the OSCAP finding for SLE BCI not having gpgcheck enabled.

The STIG for this findings specifically checks a conf file, so this update mounts that file during the build. There is only one line needed in this conf file to allow for this change.

Merge Request BOE

Risk

Rollback Plan

Testing

Local, by mounting this conf file using a docker run bind mount

404a944074f1:/ # zypper repos
Refreshing service 'container-suseconnect-zypp'.
Repository priorities are without effect. All enabled repositories share the same priority.

# | Alias   | Name    | Enabled | GPG Check | Refresh
--+---------+---------+---------+-----------+--------
1 | SLE_BCI | SLE_BCI | Yes     | ( p) Yes  | Yes

404a944074f1:/ # zypper -vvv install git
Verbosity: 3
Non-option program arguments: 'git' 
Initializing Target
Refreshing service 'container-suseconnect-zypp'.
Checking whether to refresh metadata for SLE_BCI
Retrieving: https://updates.suse.com/SUSE/Products/SLE-BCI/15-SP4/x86_64/product/media.1/media ...................................................................................................................................................[done]
Retrieving: https://updates.suse.com/SUSE/Products/SLE-BCI/15-SP4/x86_64/product/repodata/repomd.xml.asc .........................................................................................................................................[done]
Retrieving: https://updates.suse.com/SUSE/Products/SLE-BCI/15-SP4/x86_64/product/repodata/repomd.xml.key .........................................................................................................................................[done]
Retrieving: https://updates.suse.com/SUSE/Products/SLE-BCI/15-SP4/x86_64/product/repodata/repomd.xml .............................................................................................................................................[done]
  Repository:       SLE_BCI
  Key Fingerprint:  FEAB 5025 39D8 46DB 2C09 61CA 70AF 9E81 39DB 7C82
  Key Name:         SuSE Package Signing Key <build@suse.de>
  Key Algorithm:    RSA 2048
  Key Created:      Mon 21 Sep 2020 08:21:47 AM UTC
  Key Expires:      Fri 20 Sep 2024 08:21:47 AM UTC
  Rpm Name:         gpg-pubkey-39db7c82-5f68629b

Closes #763 (moved)

Edited by David Freeman

Merge request reports

UNCLASSIFIED - NO CUI