Content Credentials

The content credentials page can be accessed via the content menu:

Content > Content Credentials

The content credentials page forms a part of orcharhino’s content management.

Content credentials like GPG keys and SSL certificates can be added to orcharhino to ensure and verify the authenticity of software packages, metadata, and repositories.

Examples for GPG Keys

orcharhino uses GPG public keys to verify signatures as a security measure to ensure the authenticity and integrity of remote content sources. Usually either packages, their metadata, or text files containing lists of files and their corresponding hashes are signed to protect against manipulations.

Note

GPG uses public key cryptography with a secret private and a published public key pair. Signatures are used to validate the authenticity of signed files: A file can be signed using a private key and the corresponding signature can be checked by importing the corresponding public key. This protects against unknown tampering with the files in question.

Content providers like CentOS and RHEL sign packages with their private keys. orcharhino uses the public counterpart called public key to validate the signature. This ensures that only the content provider could have made the signature, resulting in trust of the actual signed content.

Important

Public GPG keys must be imported from a reliable source and their fingerprint must be checked. This process allows you to fetch content and its signatures over potentially insecure networks like the internet while still ensuring its authenticity.

Go to the content credentials page and click the Create Content Credentials button to import a GPG key:

Add GPG key to content credentials
  • Enter a meaningful Name (1) for the GPG key. The example chooses CentOS 7 GPG Key. Later on, the name can be selected on the repository page in the GPG key field.

  • The Type (2) can either be GPG key as chosen above or SSL certificate. Refer to the SSL certificates examples below for the type SSL certificate.

  • You can paste the GPG key into the Content Credentials Contents field (3).

  • Alternatively, you may choose to upload the public GPG key using the Choose file button (4).

  • Clicking the Save button (5) saves the GPG key to orcharhino.

Note that orcharhino only accepts ASCII-armored GPG keys, binary formats are not supported. A valid key looks as follows:

-----BEGIN PGP PUBLIC KEY BLOCK-----

ebBvV1lCh3jKZazOR51ppKU8rJOIECKGC9Zl0aN73WGQU3uBYkQdUzab8OHAef6E
QFG1fTx3K4NLE7AXMUYngL6pbChFwCEc781bRn2phF1JApvc9jqdUksTKzo62R6X
...

-----END PGP PUBLIC KEY BLOCK-----

You may have multiple GPG public keys in content credential file. This is mostly used for Debian and Ubuntu.

The following subsections detail various sources of GPG keys which could potentially be imported into orcharhino.

CentOS

The official GPG public keys can be downloaded from centos.org as follows:

Debian

The official GPG public keys can be downloaded from debian.org as follows:

EPEL

The official GPG public keys can be downloaded from fedoraproject.org as follows:

nginx

The nginx web server is an example of a single software package from an external software repository.

Oracle Linux

The official GPG public keys can be downloaded from oracle.com as follows:

RHEL

The official GPG public key can be downloaded from redhat.com as follows:

SLES

The official GPG public key can be obtained from suse.com as follows:

Ubuntu

The official GPG public keys can be downloaded from ubuntu.com as follows:

  • Ubuntu 16.04 (Xenial)

    You will need the following ASCII-armored GPG keys which can be retrieved and exported with the following commands:

    gpg --keyserver keys.gnupg.net --recv-key 0BFB847F3F272F5B 40976EAF437D05B5 46181433FBB75451 3B4FE6ACC0B21F32 D94AA3F0EFE21092
    gpg --armor --export 0BFB847F3F272F5B 40976EAF437D05B5 46181433FBB75451 3B4FE6ACC0B21F32 D94AA3F0EFE21092 > ubuntu_1604_gpg_keys.txt
    
  • Ubuntu 18.04 (Bionic)

    You will need the following ASCII-armored GPG keys which can be retrieved and exported with the following commands:

    gpg --keyserver keys.gnupg.net --recv-key 871920D1991BC93C 3B4FE6ACC0B21F32
    gpg --armor --export 871920D1991BC93C 3B4FE6ACC0B21F32 > ubuntu_1804_gpg_keys.txt
    
  • Ubuntu 20.04 (Focal)

    You will need the following ASCII-armored GPG keys which can be retrieved and exported with the following commands:

    gpg --keyserver keys.gnupg.net --recv-key 3B4FE6ACC0B21F32 D94AA3F0EFE21092 871920D1991BC93C
    gpg --armor --export 3B4FE6ACC0B21F32 D94AA3F0EFE21092 871920D1991BC93C > ubuntu_2004_gpg_keys.txt
    

You can upload the ubuntu_*_gpg_keys.txt files directly to orcharhino as shown above.

Examples for SSL Certificates

The following section details the import of an SSL certificate into orcharhino. SSL certificates are mainly used to authenticate with the server you obtain packages from as an alternative to username and password credentials.

CentOS

Add SSL certificate to content credentials
  • Enter a meaningful Name (1) for the SSL certificate. The example chooses CentOS SSL certificate. When importing an SSL CA cert, the name appears on the repository page in the SSL CA cert field.

  • The Type (2) can either be SSL certificate as chosen above or GPG key. Refer to the GPG key examples above for the type GPG key.

  • You can paste the SSL CA cert, SSL client cert, or SSL client key into the Content Credentials Contents field (3).

  • Alternatively, you may choose to upload the SSL certificate using the Choose file button (4).

  • Clicking the Save button (5) saves the SSL certificate to orcharhino.

Refer to products and repositories for more information.