-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Keys listed in gpgkey= not used for repo metadata signature verification #528
Comments
I have this problem in zypper 1.14.71 but do not have it in 1.14.68. zypper 1.14.68 # cat /etc/zypp/repos.d/nginx.repo && zypper --version && zypper refs && zypper --gpg-auto-import-keys refresh -r nginx-stable
[nginx]
name=nginx-stable
enabled=1
autorefresh=1
baseurl=https://nginx.org/packages/sles/15/
gpgcheck=1
gpgkey=https://nginx.org/keys/nginx_signing.key
path=/
type=yum
keeppackages=0
zypper 1.14.68
All services have been refreshed.
Looking for gpg key ID 7BD9BF62 in cache /var/cache/zypp/pubkeys.
Looking for gpg key ID 7BD9BF62 in repository nginx-stable.
gpgkey=https://nginx.org/keys/nginx_signing.key
Automatically importing the following key:
Repository: nginx-stable
Key Fingerprint: 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62
Key Name: nginx signing key <signing-key@nginx.com>
Key Algorithm: RSA 2048
Key Created: Sat May 25 00:31:01 2024
Key Expires: Tue May 25 00:31:01 2027
Rpm Name: gpg-pubkey-7bd9bf62-6650b2b5
Note: A GPG pubkey is clearly identified by its fingerprint. Do not rely on the key's name. If
you are not sure whether the presented key is authentic, ask the repository provider or check
their web site. Many providers maintain a web page showing the fingerprints of the GPG keys they
are using.
Retrieving repository 'nginx-stable' metadata ...............................................................................[done]
Building repository 'nginx-stable' cache ....................................................................................[done]
Specified repositories have been refreshed. zypper 1.14.71 # cat /etc/zypp/repos.d/nginx.repo && zypper --version && zypper refs && zypper --gpg-auto-import-keys refresh -r nginx-stable
[nginx]
name=nginx-stable
enabled=1
autorefresh=1
baseurl=https://nginx.org/packages/sles/15/
gpgcheck=1
gpgkey=https://nginx.org/keys/nginx_signing.key
path=/
type=yum
keeppackages=0
zypper 1.14.71
All services have been refreshed.
Looking for gpg key ID 7BD9BF62 in cache /var/cache/zypp/pubkeys.
Looking for gpg key ID 7BD9BF62 in repository nginx-stable.
gpgkey=https://nginx.org/keys/nginx_signing.key
Warning: File 'repomd.xml' from repository 'nginx-stable' is signed with an unknown key 'ABF5BD827BD9BF62'.
Note: Signing data enables the recipient to verify that no modifications occurred after the data
were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
and in extreme cases even to a system compromise.
Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
whole repo.
Warning: We can't verify that no one meddled with this file, so it might not be trustworthy
anymore! You should not continue unless you know it's safe.
File 'repomd.xml' from repository 'nginx-stable' is signed with an unknown key 'ABF5BD827BD9BF62'.
Continue? [yes/no] (no):
Retrieving repository 'nginx-stable' metadata ..............................................................................[error]
Repository 'nginx-stable' is invalid.
[nginx|https://nginx.org/packages/sles/15/] Valid metadata not found at specified URL
History:
- Signature verification failed for repomd.xml
Please check if the URIs defined for this repository are pointing to a valid repository.
Skipping repository 'nginx-stable' because of the above error.
Could not refresh the repositories because of errors. |
@jswolf19 to me it looks like the repo is signed with
|
We'll add a message telling why |
@mlandres I'll have to check once I'm in front of a computer, but I think the file has 3 keys. The one used for signing is the second one. Update: yes, ABF5BD827BD9BF62 is the second key in the file. $ curl https://nginx.org/keys/nginx_signing.key | gpg --show-keys --with-fingerprint
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 11809 100 11809 0 0 4438 0 0:00:02 0:00:02 --:--:-- 4437pub rsa4096 2024-05-29 [SC]
8540 A6F1 8833 A80E 9C16 53A4 2FD2 1310 B49F 6B46
uid nginx signing key <signing-key-2@nginx.com>
pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24]
573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62
uid nginx signing key <signing-key@nginx.com>
pub rsa4096 2024-05-29 [SC]
9E9B E90E ACBC DE69 FE9B 204C BCDC D8A3 8D88 A2B3
uid nginx signing key <signing-key-3@nginx.com> |
@jswolf19 Sorry, then I'll have to check my script. In any case, there's been an issue with the gpgkey url, but is meanwhile fixed: Please check your libzypp version. If it's older and 17.32.6 fixes it, we can close this as duplicate of #546 |
I'll check tomorrow and get back to you. |
@mlandres Upgrading to libzypp-17-32.6 solves my problem. If it's a url issue, I'm not sure if it solves the original issue, though. The 15.5 repos currently only includes up to libzypp-17-32.5, so I made a temporary repo providing 17-32.6. Any idea if/when that version will be added to the 15.5 update repo? |
When I run zypper with gpgkeys listed in gpgkey= in the individual repo files, zypper fails with an error saying it can't verify the repo metadata signature, even though the key that the repository metadata is signed with is listed in gpgkey=.
Version: 1.14.59
Repo file:
Log: https://gist.github.com/DaanDeMeyer/7babbb3adb9464d2ce964a569ed92cde
The text was updated successfully, but these errors were encountered: