Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: zypper up found no key but still installed packages

  1. #1

    Default zypper up found no key but still installed packages

    Hi,

    On my update today with 'zypper up' all packages gave the warning "Header V3 RSA/SHA1 Signature, key ID b3fd7e48: NOKEY".

    Do I understand correctly that it did not find the key to verify that the packages are OK? Then why have they been installed?

    Thanks and regards

  2. #2
    Join Date
    May 2012
    Location
    Finland
    Posts
    2,004

    Default Re: zypper up found no key but still installed packages

    Where did those packages come from? Packman?

    You can check it with;
    rpm -qa --last | head -n 20

    ^ Will print the last 20 patches.
    .: miuku #suse @ irc.freenode.net
    :: miuku@opensuse.org

    .: h​ttps://download.opensuse.org/repositories/home:/Miuku/

  3. #3

    Default Re: zypper up found no key but still installed packages

    Quote Originally Posted by Miuku View Post
    Where did those packages come from? Packman?

    You can check it with;
    rpm -qa --last | head -n 20

    ^ Will print the last 20 patches.
    Code:
    ge40L:/home/me/backups # rpm -qa --last | head -n 20
    libMagick++-6_Q16-2-6.8.6.9-2.8.1.x86_64      Thu Mar 13 08:58:52 2014
    file-5.15-4.10.1.x86_64                       Thu Mar 13 08:58:52 2014
    libmagic1-5.15-4.10.1.x86_64                  Thu Mar 13 08:58:51 2014
    ImageMagick-6.8.6.9-2.8.1.x86_64              Thu Mar 13 08:58:51 2014
    libMagickWand-6_Q16-1-6.8.6.9-2.8.1.x86_64    Thu Mar 13 08:58:50 2014
    libssh4-0.5.5-2.4.1.x86_64                    Thu Mar 13 08:58:49 2014
    file-magic-5.15-4.10.1.x86_64                 Thu Mar 13 08:58:49 2014
    libMagickCore-6_Q16-1-6.8.6.9-2.8.1.x86_64    Thu Mar 13 08:58:48 2014
    That did not show the repo. The updates are from repo-update.

    repo-update is:
    13 | repo-update | openSUSE-13.1-Update | Yes | Yes | http://download.opensuse.org/update/13.1/

    In Apper these updates seem to be named: openSUSE-2014-206, openSUSE-2014-208 and openSUSE-2014-209

    The zypper history shows:
    Code:
    ge40L:/home/me/backups # cat /var/log/zypp/history | tail -n 40
    # 2014-03-13 08:58:49 libMagickCore-6_Q16-1-6.8.6.9-2.8.1.x86_64.rpm installed ok
    # Additional rpm output:
    # warning: /var/cache/zypp/packages/repo-update/x86_64/libMagickCore-6_Q16-1-6.8.6.9-2.8.1.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID b3fd7e48: NOKEY
    # 
    2014-03-13 08:58:49|install|libMagickCore-6_Q16-1|6.8.6.9-2.8.1|x86_64||repo-update|73fc29d149aeeedd25aa185a130f1ec4fc81c7e0d4c3a5a1e34a1f67ba1ac5f8|
    # 2014-03-13 08:58:49 file-magic-5.15-4.10.1.x86_64.rpm installed ok
    # Additional rpm output:
    # warning: /var/cache/zypp/packages/repo-update/x86_64/file-magic-5.15-4.10.1.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID b3fd7e48: NOKEY
    # 
    2014-03-13 08:58:49|install|file-magic|5.15-4.10.1|x86_64||repo-update|0c455e964e70be32f8295d268f7cd876e699904ff48aaf6ee51a6788bb774004|
    # 2014-03-13 08:58:50 libssh4-0.5.5-2.4.1.x86_64.rpm installed ok
    # Additional rpm output:
    # warning: /var/cache/zypp/packages/repo-update/x86_64/libssh4-0.5.5-2.4.1.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID b3fd7e48: NOKEY
    # 
    2014-03-13 08:58:50|install|libssh4|0.5.5-2.4.1|x86_64||repo-update|717b001e8fe087cbb2e76e56ee7e2f75818ef4a892dc811b30e879ee12055a56|
    # 2014-03-13 08:58:50 libMagickWand-6_Q16-1-6.8.6.9-2.8.1.x86_64.rpm installed ok
    # Additional rpm output:
    # warning: /var/cache/zypp/packages/repo-update/x86_64/libMagickWand-6_Q16-1-6.8.6.9-2.8.1.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID b3fd7e48: NOKEY
    # 
    2014-03-13 08:58:51|install|libMagickWand-6_Q16-1|6.8.6.9-2.8.1|x86_64||repo-update|93c9a1590749069013f685d51779e292d81f6ce793fb8f2e0abfdda8a0262fde|
    # 2014-03-13 08:58:51 libmagic1-5.15-4.10.1.x86_64.rpm installed ok
    # Additional rpm output:
    # warning: /var/cache/zypp/packages/repo-update/x86_64/libmagic1-5.15-4.10.1.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID b3fd7e48: NOKEY
    # 
    2014-03-13 08:58:51|install|libmagic1|5.15-4.10.1|x86_64||repo-update|ac7265728505b00bf6aa5f8ade540ecc2ee5446dc7ddb5dd284df3e90987d0a9|
    # 2014-03-13 08:58:52 ImageMagick-6.8.6.9-2.8.1.x86_64.rpm installed ok
    # Additional rpm output:
    # warning: /var/cache/zypp/packages/repo-update/x86_64/ImageMagick-6.8.6.9-2.8.1.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID b3fd7e48: NOKEY
    # 
    2014-03-13 08:58:52|install|ImageMagick|6.8.6.9-2.8.1|x86_64||repo-update|868a2f5c6a7cdbf31a5f4af9945ff1f1fd9ee77e6a8f6e7050d053f535f9e222|
    # 2014-03-13 08:58:52 file-5.15-4.10.1.x86_64.rpm installed ok
    # Additional rpm output:
    # warning: /var/cache/zypp/packages/repo-update/x86_64/file-5.15-4.10.1.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID b3fd7e48: NOKEY
    # 
    2014-03-13 08:58:52|install|file|5.15-4.10.1|x86_64||repo-update|d0e6ffc0442590a14ab99327ad3e15565fd291f89753ed4c3345827d4ba3f05c|
    # 2014-03-13 08:58:53 libMagick++-6_Q16-2-6.8.6.9-2.8.1.x86_64.rpm installed ok
    # Additional rpm output:
    # warning: /var/cache/zypp/packages/repo-update/x86_64/libMagick++-6_Q16-2-6.8.6.9-2.8.1.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID b3fd7e48: NOKEY
    # 
    2014-03-13 08:58:53|install|libMagick++-6_Q16-2|6.8.6.9-2.8.1|x86_64||repo-update|cd59e3561a820c79db6f2f435a6a67c878526b186a6ff9844cda860bbc60d1ce|

  4. #4

    Default Re: zypper up found no key but still installed packages

    Yes, I got the same messages, e.g.

    Code:
    (3/3) Installing: ImageMagick-6.8.6.9-2.8.1 .................................................................................[done]
    Additional rpm output:
    warning: /var/cache/zypp/packages/repo-update/x86_64/ImageMagick-6.8.6.9-2.8.1.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID b3fd7e48: NOKEY
    Searched around in the man pages and on the net, but didn't really come up with an answer.

    I understood there are 2 types of signing keys. One for signing the repo and another for signing the rpm package. I think zypper will prompt (unless overwritten by option) if anything is wrong with repo key. But obviously zypper has no options regarding handling of package signing keys,

    Documentation (rpmkeys(8) says that package keys are installed in packages named gpg-pubkeys*. However no such package seems to exist in default OpenSUSE 13.1 repos.

    Instead I found package openSUSE-build-key

    Code:
    $ zypper info openSUSE-build-key
    ...
    
    Information for package openSUSE-build-key:
    -------------------------------------------
    Repository: openSUSE-13.1-Oss
    Name: openSUSE-build-key
    Version: 1.0-24.1.2
    Arch: noarch
    Vendor: openSUSE
    Installed: Yes
    Status: up-to-date
    Installed Size: 4.8 KiB
    Summary: The public gpg keys for rpm package signature verification
    Description: 
    This package contains the gpg keys that are used to sign the
    openSUSE rpm packages. The keys installed here are not actually
    used by anything. rpm/zypper use the keys in the rpm db instead.
    Hmm, these keys are not used, weird. So why are they installed then in the first place? So what is in rpm db? There is a rpmdb(8) page but helps as little as rpmkeys(8).

    This topic almost certainly requires better documentation, cannot imagine that I missed so much... I have the feeling somebody as done a major rewrite of the related code, but not touched the documentation.

  5. #5

    Default Re: zypper up found no key but still installed packages

    Here is how to check package signing keys (or at least what I just came up with)

    Download the package (at least I did not come up with a way to check the key of an installed package)

    Code:
    # zypper install -d  quassel
    # zypper install -d -f sox
    # zypper install -d -f file
    (you need the -f flag if the package is already installed, although -d tells not to install)

    Code:
    # rpm -v --checksig /var/cache/zypp/packages/repo-oss/suse/x86_64/sox-14.4.1-2.1.2.x86_64.rpm
    /var/cache/zypp/packages/repo-oss/suse/x86_64/sox-14.4.1-2.1.2.x86_64.rpm:
        Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
        Header SHA1 digest: OK (f292dc8719b3febaca1f7b4cf891be874b9dcc87)
        V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
        MD5 digest: OK (daa7e820e92bafd45e47f6245f5f724e)
    # rpm -v --checksig /var/cache/zypp/packages/repo-update/x86_64/quassel-mono-0.9.2-12.1.x86_64.rpm
    /var/cache/zypp/packages/repo-update/x86_64/quassel-mono-0.9.2-12.1.x86_64.rpm:
        Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
        Header SHA1 digest: OK (79f2b0e9ce0b1d8b96c0c012a89a2f1b08853e8d)
        V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
        MD5 digest: OK (dbc3b859556c352a38b23d006d49dabe)
    # rpm -v --checksig /var/cache/zypp/packages/repo-update/x86_64/file-5.15-4.10.1.x86_64.rpm
    /var/cache/zypp/packages/repo-update/x86_64/file-5.15-4.10.1.x86_64.rpm:
        Header V3 RSA/SHA1 Signature, key ID b3fd7e48: NOKEY
        Header SHA1 digest: OK (381bca2de6c8935a7045e9f56bd22c1b1d09e9e9)
        V3 RSA/SHA1 Signature, key ID b3fd7e48: NOKEY
        MD5 digest: OK (9b12ef1d0e1b83191732a74ca6ab1730)
    So packages in repo-oos and repo-update used to be signed with key ID 3dbdc284, but now they obviously use a new key.

  6. #6

    Default Re: zypper up found no key but still installed packages

    Hi all,

    I have encountered the same messages on six production servers, and I started to worry...

    This is what I found (for package file-magic):

    Zypper downloads

    file-magic-5.14_5.15-4.1.2_4.10.1.x86_64.drpm

    This file's signature is verified successfully, otherwise zypper will not use it. You can manually check its signature with

    Code:
    rpm -v  --checksig file-magic-5.14_5.15-4.1.2_4.10.1.x86_64.drpm
    This .drpm package is signed by a key with id 0x3dbdc284, the openSUSE key.

    file-magic-5.14 is now patched with this .drpm package

    The resulting (patched) file is:

    file-magic-5.15-4.10.1.x86_64.rpm

    You can find this file in /var/cache/zypp/packages/repo-update/x86_64 if you use zypper like this:

    Code:
    zypper up -D --skip-interactive
    This .rpm file is now installed, but carries a signature created by an unknown key: 0xb3fd7e48

    Unfortunately, this key cannot be found on the MIT key server:

    Code:
    gpg --keyserver pgp.mit.edu --recv-key 0xb3fd7e48
    For now I assume that the patch (.drpm) was created against a file signed with key 0xb3fd7e48, so the resulting .rpm package (after patching it) is also signed by that (unknown) key.

    I sure hope that this is not reason enough to believe that the servers have been compromised and need to be rebuild from scratch... Keeping my fingers crossed...


    Yours

    Paul

  7. #7

    Default Re: zypper up found no key but still installed packages

    Quote Originally Posted by geuder View Post
    So packages in repo-oos and repo-update used to be signed with key ID 3dbdc284, but now they obviously use a new key.
    I think the files on the update servers are still signed with key 0x3dbdc284 (.drpm packages).

    After applying the patch, the resulting .rpm package is singed with an unkown key (0xb3fd7e48). I couldn't quickly find any .rpm package from today on the update servers.

  8. #8

    Default Re: zypper up found no key but still installed packages

    It seems to me, there is something weird going on.

    Same problem with openSUSE 12.3 this morning: several delta rpm files produced NOKEY errors:


    • libMagickCore5-6.7.8.8-4.9.1
    • libmagic-data-5.11-12.6.1
    • libssh4-0.5.3-2.4.1 (!!!)
    • libMagickWand5-6.7.8.8-4.9.1
    • libmagic1-5.11-12.6.1
    • ImageMagick-6.7.8.8-4.9.1
    • file-5.11-12.6.1
    • libMagick++5-6.7.8.8-4.9.1


    My update repo url is http://download.opensuse.org/update/12.3/
    All the problematic files were claimed to originate from there, but when I searched via http (Browser) in that repo, none of the drpm versions was there.

    I sure do not want questionable ssh/file/ImageMagick packages, so I did a "zypper clean -a" and then "zypper ref" to rebuild the caches.
    After that I reinstalled all suspicious packages (zypper in -f ...), without any error message. All versions are back to official versions (double checked and verified via http://software.opensuse.org/).

    Is this a security issue with http://download.opensuse.org/ ?

  9. #9

    Default Re: zypper up found no key but still installed packages

    Quote Originally Posted by kalex77;2630357Is this a security issue with [URL
    http://download.opensuse.org/[/URL] ?
    No. But apparently something went wrong with those updates. Normally the packages should get re-signed with the update repo's key, but that didn't happen in this case. So they are still signed with some internal openSUSE:Maintenance key.

    This is investigating this at the moment.

    If you understand german, see also here:
    http://lists.opensuse.org/opensuse-d.../msg00164.html

  10. #10

    Default Re: zypper up found no key but still installed packages

    Quote Originally Posted by kalex77 View Post
    I sure do not want questionable ssh/file/ImageMagick packages, so I did a "zypper clean -a" and then "zypper ref" to rebuild the caches.
    After that I reinstalled all suspicious packages (zypper in -f ...), without any error message. All versions are back to official versions (double checked and verified via http://software.opensuse.org/).
    I also downgraded those packages to previous versions. But libmagic1 and file-magic seem to be used almost everywhere. e.g. in zypper. So the command to remove the packages used that stuff. So if this was an attack then we would be f#cked anyway....

    But how can it be that packages with wrong or missing signatures can be installed by zypper? I would assume the most basic unit test for such code and the most important one is if packages with wrong or missing signatures are refused. How can it be that zypper installs those. That is just something that must not happen, ever. I very much like suse, but if package management code can end up in production that did not pass such a unit test or if such unit tests do not exist, then I have to switch...

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •