Keys listed in gpgkey= not used for repo metadata signature verification

[DaanDeMeyer]

When I run zypper with gpgkeys listed in gpgkey= in the individual repo files, zypper fails with an error saying it can't verify the repo metadata signature, even though the key that the repository metadata is signed with is listed in gpgkey=.

Version: 1.14.59

Repo file:

[repo-oss]
name=repo-oss
baseurl=https://download.opensuse.org/tumbleweed/repo/oss/
enabled=1
autorefresh=0
keeppackages=1
gpgcheck=0
repo_gpgcheck=1
pkg_gpgcheck=1
gpgkey=file:///usr/share/distribution-gpg-keys/opensuse/RPM-GPG-KEY-openSUSE-Tumbleweed
       file:///usr/share/distribution-gpg-keys/opensuse/RPM-GPG-KEY-openSUSE

Log: https://gist.github.com/DaanDeMeyer/7babbb3adb9464d2ce964a569ed92cde

[jswolf19]

I have this problem in zypper 1.14.71 but do not have it in 1.14.68.

zypper 1.14.68

# cat /etc/zypp/repos.d/nginx.repo && zypper --version && zypper refs && zypper --gpg-auto-import-keys refresh -r nginx-stable
[nginx]
name=nginx-stable
enabled=1
autorefresh=1
baseurl=https://nginx.org/packages/sles/15/
gpgcheck=1
gpgkey=https://nginx.org/keys/nginx_signing.key
path=/
type=yum
keeppackages=0
zypper 1.14.68
All services have been refreshed.
Looking for gpg key ID 7BD9BF62 in cache /var/cache/zypp/pubkeys.
Looking for gpg key ID 7BD9BF62 in repository nginx-stable.
  gpgkey=https://nginx.org/keys/nginx_signing.key

Automatically importing the following key:

  Repository:       nginx-stable
  Key Fingerprint:  573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62
  Key Name:         nginx signing key <signing-key@nginx.com>
  Key Algorithm:    RSA 2048
  Key Created:      Sat May 25 00:31:01 2024
  Key Expires:      Tue May 25 00:31:01 2027
  Rpm Name:         gpg-pubkey-7bd9bf62-6650b2b5



    Note: A GPG pubkey is clearly identified by its fingerprint. Do not rely on the key's name. If
    you are not sure whether the presented key is authentic, ask the repository provider or check
    their web site. Many providers maintain a web page showing the fingerprints of the GPG keys they
    are using.
Retrieving repository 'nginx-stable' metadata ...............................................................................[done]
Building repository 'nginx-stable' cache ....................................................................................[done]
Specified repositories have been refreshed.

zypper 1.14.71

# cat /etc/zypp/repos.d/nginx.repo && zypper --version && zypper refs && zypper --gpg-auto-import-keys refresh -r nginx-stable
[nginx]
name=nginx-stable
enabled=1
autorefresh=1
baseurl=https://nginx.org/packages/sles/15/
gpgcheck=1
gpgkey=https://nginx.org/keys/nginx_signing.key
path=/
type=yum
keeppackages=0
zypper 1.14.71
All services have been refreshed.
Looking for gpg key ID 7BD9BF62 in cache /var/cache/zypp/pubkeys.
Looking for gpg key ID 7BD9BF62 in repository nginx-stable.
  gpgkey=https://nginx.org/keys/nginx_signing.key
Warning: File 'repomd.xml' from repository 'nginx-stable' is signed with an unknown key 'ABF5BD827BD9BF62'.

    Note: Signing data enables the recipient to verify that no modifications occurred after the data
    were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
    and in extreme cases even to a system compromise.

    Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
    whole repo.

    Warning: We can't verify that no one meddled with this file, so it might not be trustworthy
    anymore! You should not continue unless you know it's safe.

File 'repomd.xml' from repository 'nginx-stable' is signed with an unknown key 'ABF5BD827BD9BF62'.
Continue? [yes/no] (no):
Retrieving repository 'nginx-stable' metadata ..............................................................................[error]
Repository 'nginx-stable' is invalid.
[nginx|https://nginx.org/packages/sles/15/] Valid metadata not found at specified URL
History:
 - Signature verification failed for repomd.xml

Please check if the URIs defined for this repository are pointing to a valid repository.
Skipping repository 'nginx-stable' because of the above error.
Could not refresh the repositories because of errors.

[mlandres]

@jswolf19 to me it looks like the repo is signed with unknown key 'ABF5BD827BD9BF62' and the gpgkey URL provides BCDCD8A38D88A2B3.

ma@hobbes:tmp (0)> wget https://nginx.org/keys/nginx_signing.key
--2024-06-05 09:45:12--  https://nginx.org/keys/nginx_signing.key
Resolving nginx.org (nginx.org)... 2a05:d014:5c0:2601::6, 2a05:d014:5c0:2600::6, 52.58.199.22, ...
Connecting to nginx.org (nginx.org)|2a05:d014:5c0:2601::6|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11809 (12K) [application/octet-stream]
Saving to: ‘nginx_signing.key’

nginx_signing.key             100%[=================================================>]  11.53K  --.-KB/s    in 0s      

2024-06-05 09:45:12 (101 MB/s) - ‘nginx_signing.key’ saved [11809/11809]

ma@hobbes:tmp (0)> zypp-pubkey nginx_signing.key
=== ./nginx_signing.key{- 0644 216/1000 size 11809}
[nginx signing key <signing-key-3@nginx.com>]
 +----[RSA 4096]-----+
 |                   |  fpr 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3
 |                   |   id BCDCD8A38D88A2B3
 |                   |  alg RSA 4096
 |                   |  cre 1716998629 Wed May 29 18:03:49 2024
 |                   |  exp 0 (does not expire)
 |    .    S         |  ttl 2147483647
 |     ^  . .        |  rpm 8d88a2b3-665751e5
 |    : i  ^         |
 |     i ?  :        |
 |^ . ^ ?.l:.        |
 |E: ..?:l:i.        |
 +----[8D88A2B3]-----+

*** Not in rpm database.

[mlandres]

We'll add a message telling why gpgkey= did not work (file not found or does not contain the expected key)

[jswolf19]

@mlandres I'll have to check once I'm in front of a computer, but I think the file has 3 keys. The one used for signing is the second one.

Update: yes, ABF5BD827BD9BF62 is the second key in the file.

$ curl https://nginx.org/keys/nginx_signing.key | gpg --show-keys --with-fingerprint
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 11809  100 11809    0     0   4438      0  0:00:02  0:00:02 --:--:--  4437pub   rsa4096 2024-05-29 [SC]
      8540 A6F1 8833 A80E 9C16  53A4 2FD2 1310 B49F 6B46
uid                      nginx signing key <signing-key-2@nginx.com>

pub   rsa2048 2011-08-19 [SC] [expires: 2027-05-24]
      573B FD6B 3D8F BC64 1079  A6AB ABF5 BD82 7BD9 BF62
uid                      nginx signing key <signing-key@nginx.com>


pub   rsa4096 2024-05-29 [SC]
      9E9B E90E ACBC DE69 FE9B  204C BCDC D8A3 8D88 A2B3
uid                      nginx signing key <signing-key-3@nginx.com>

[mlandres]

@jswolf19 Sorry, then I'll have to check my script.

In any case, there's been an issue with the gpgkey url, but is meanwhile fixed:
libzypp-17.32.6: Fix download from gpgkey URL (bsc#1223430, fixes #546)

Please check your libzypp version. If it's older and 17.32.6 fixes it, we can close this as duplicate of #546

[jswolf19]

Please check your libzypp version. If it's older and 17.32.6 fixes it, we can close this as duplicate of #546

I'll check tomorrow and get back to you.

[jswolf19]

@mlandres Upgrading to libzypp-17-32.6 solves my problem. If it's a url issue, I'm not sure if it solves the original issue, though.

The 15.5 repos currently only includes up to libzypp-17-32.5, so I made a temporary repo providing 17-32.6. Any idea if/when that version will be added to the 15.5 update repo?