Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Do I have 'ghost' repo keys?

  1. #1

    Question Do I have 'ghost' repo keys?

    I recently did a fresh install of Leap 42.1. I have added only three non-standard repos: Packman, KDE:Extra, and home:ecsos:

    Code:
    me@linux-pvlm:~> zypper lr -d
    #  | Alias                               | Name                                    | Enabled | GPG Check | Refresh | Priority | Type   | URI                                                                       | Service
    ---+-------------------------------------+-----------------------------------------+---------+-----------+---------+----------+--------+---------------------------------------------------------------------------+--------
     1 | download.opensuse.org-non-oss       | Main Repository (NON-OSS)               | Yes     | (r ) Yes  | Yes     |   99     | yast2  | http://download.opensuse.org/distribution/leap/42.1/repo/non-oss/         |        
     2 | download.opensuse.org-non-oss_1     | Update Repository (Non-Oss)             | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/update/leap/42.1/non-oss/                    |        
     3 | download.opensuse.org-oss           | Main Repository (OSS)                   | Yes     | (r ) Yes  | Yes     |   99     | yast2  | http://download.opensuse.org/distribution/leap/42.1/repo/oss/             |        
     4 | download.opensuse.org-oss_1         | Main Update Repository                  | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/update/leap/42.1/oss                         |        
     5 | ftp.gwdg.de-suse                    | Packman Repository                      | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://ftp.gwdg.de/pub/linux/packman/suse/openSUSE_Leap_42.1/             |        
     6 | http-download.opensuse.org-756b260e | home:ecsos                              | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/repositories/home:/ecsos/openSUSE_Leap_42.1/ |        
     7 | http-download.opensuse.org-d2043906 | KDE:Extra                               | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/repositories/KDE:/Extra/openSUSE_Leap_42.1/  |        
     8 | openSUSE-42.1-0                     | openSUSE-42.1-0                         | Yes     | (r ) Yes  | No      |   99     | yast2  | cd:///?devices=/dev/disk/by-id/ata-PLDS_DVD-ROM_DH-16D5S                  |        
     9 | repo-debug                          | openSUSE-Leap-42.1-Debug                | No      | ----      | Yes     |   99     | NONE   | http://download.opensuse.org/debug/distribution/leap/42.1/repo/oss/       |        
    10 | repo-debug-non-oss                  | openSUSE-Leap-42.1-Debug-Non-Oss        | No      | ----      | Yes     |   99     | NONE   | http://download.opensuse.org/debug/distribution/leap/42.1/repo/non-oss/   |        
    11 | repo-debug-update                   | openSUSE-Leap-42.1-Update-Debug         | No      | ----      | Yes     |   99     | NONE   | http://download.opensuse.org/debug/update/leap/42.1/oss                   |        
    12 | repo-debug-update-non-oss           | openSUSE-Leap-42.1-Update-Debug-Non-Oss | No      | ----      | Yes     |   99     | NONE   | http://download.opensuse.org/debug/update/leap/42.1/non-oss/              |                                                                    
    13 | repo-source                         | openSUSE-Leap-42.1-Source               | No      | ----      | Yes     |   99     | NONE   | http://download.opensuse.org/source/distribution/leap/42.1/repo/oss/      |                                                                    
    14 | repo-update                         | openSUSE-Leap-42.1-Update               | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/update/leap/42.1/oss/                        |
    I have no issue with the Packman repo key, but, almost daily, I have to refresh either KDE:Extra or home:ecsos for Software Updates to work.

    Even though I have chosen to import the untrusted keys, neither of them shows up in the Yast Software Repositories' GPG Keys window. The only ones listed are:
    openSUSE Project Signing Key <opensuse@opensuse.org>; Finger Print: 22C07BA534178CD02EFE22AAB88B2FD43DBDC284
    PackMan Project (signing key) <packman@links2linux.de>; Finger Print: F8875B880D518B6B8C530D1345A1D0671ABD1AFB

    I don't know if this is caused by:
    1) a problem with the integrity of my local repository management, or
    2) the fact that the KDE:Extra and home:ecsos repository key files are modified (though the key is not changed) almost daily:
    http://download.opensuse.org/reposit...42.1/repodata/
    http://download.opensuse.org/reposit...42.1/repodata/

    Or something else.

    What can I do so that I do not have to constantly refresh these repos?

    Lee

  2. #2
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    15,652

    Default Re: Do I have 'ghost' repo keys?

    Exactly what do you mean with "refresh" ??

    You have set the refresh flag on the repos so they will be refreshed when you update. So not clear what you are refreshing

  3. #3

    Default Re: Do I have 'ghost' repo keys?

    I am having to manually refresh the 'troubled' repositories.

    When Software Updates (in the system tray) runs, it gives me an error saying that there is an untrusted key and therefore no update is executed. I have to go in to Yast -> Software Repositories, highlight the repo (KDE:Extra or home:ecsos) and click Refresh Selected from the Refresh drop-down menu.

    After doing that, the key does not appear in the list of keys in the "GPG Keys..." dialog, but an update will then execute with no errors. I have to keep doing this manual refresh almost daily.

    Does that explain it better?

    Lee

  4. #4
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,888

    Default Re: Do I have 'ghost' repo keys?

    Quote Originally Posted by tleedavidson View Post
    When Software Updates (in the system tray) runs,
    You did not explain that in your first post. You apparently thought that "everybody" will do the same thing the same way as you do them. This is not the case.
    Henk van Velden

  5. #5
    Join Date
    Mar 2011
    Location
    Sauerland
    Posts
    3,891

    Default AW: Do I have 'ghost' repo keys?

    When Software Updates (in the system tray) runs, it gives me an error saying that there is an untrusted key and therefore no update is executed.
    Open a Konsole/Terminal, switch to root and than run:
    Code:
    zypper up
    Maybe you can than trust the Keys from the Repos.

    Or post the complete Output from Konsole her in Code-Tags.

  6. #6
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,952
    Blog Entries
    2

    Default Re: Do I have 'ghost' repo keys?

    Sounds like for some reason at least one of your repos is mis-configured and even when you are challenged for its GPG keys and you accept, it's accepted only for that one time instead of the option "always." You probably have seen this when you updated manually but chose the wrong option.

    In any case, I'm guessing (because your problem is rather unique, most people choose the right option), running the following command should fix your problem completely
    Code:
    zypper --gpg-auto-import-keys ref
    The above fixes all your repos, after that any time your system invokes patches or updates you shouldn't be bothered about gpg keys (until you add a new repo).

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  7. #7

    Default Re: Do I have 'ghost' repo keys?

    @hcvv, I did say, "I have to refresh either KDE:Extra or home:ecsos for Software Updates to work." [emphasis added] I thought that made it clear since I do not know what other name to use to refer to the system tray Software Updates. My mistake.

    @Sauerland, it doesn't seem to matter if I use Yast or "zypper up" to trust the keys. The issue remains. I have even removed and re-added the repos, and that didn't fix it.

    @tsu2, whenever I used "zypper up", I chose to trust the keys "always". I thought that was the right option.

    Following your advice:
    Code:
    me@linux-pvlm:/etc/zypp/repos.d> sudo zypper --gpg-auto-import-keys ref
    root's password:
    Repository 'Main Repository (NON-OSS)' is up to date.                                                                                       
    Repository 'Update Repository (Non-Oss)' is up to date.                                                                                     
    Repository 'Main Repository (OSS)' is up to date.                                                                                           
    Repository 'Main Update Repository' is up to date.                                                                                          
    Repository 'Packman Repository' is up to date.                                                                                              
    Repository 'KDE:Extra' is up to date.                                                                                                       
    Repository 'openSUSE-42.1-0' is up to date.                                                                                                 
    Repository 'openSUSE-Leap-42.1-Update' is up to date.                                                                                       
    All repositories have been refreshed.
    The relevant keys do not appear to have been refreshed (home:ecsos & KDE:Extra, respectively):
    Code:
    me@linux-pvlm:/var/cache/zypp/raw/http-download.opensuse.org-756b260e/repodata> ll
    total 316
    -rw-r--r-- 1 root root  33451 Dec 26 02:58 13b0613f5c31db13ccd02252608c9b9f5866b289a92432adcee0cf5ae0b38bc9-appdata.xml.gz
    -rw-r--r-- 1 root root  41906 Dec 29 00:33 d48d8adde88049e3ba7ef3d21167c19ecba2fa219413f23eb461727f08096218-app-icons.tar.gz
    -rw-r--r-- 1 root root 225307 Dec 29 00:33 df382dd957f6feba4b1083837262068872bfb84c1b459ccdc9b6f7f3cb4c58f5-primary.xml.gz
    -rw-r--r-- 1 root root   2441 Dec 30 12:41 repomd.xml
    -rw-r--r-- 1 root root    189 Dec 29 00:33 repomd.xml.asc
    -rw-r--r-- 1 root root    999 Dec 29 00:33 repomd.xml.key
    
    me@linux-pvlm:/var/cache/zypp/raw/http-download.opensuse.org-d2043906/repodata> ll
    total 760
    -rw-r--r-- 1 root root 422147 Dec 30 12:42 4e3913693b90d1082b241a2cffa8134db57a53351e11f0b2a540962bb6b31aa8-primary.xml.gz
    -rw-r--r-- 1 root root 133741 Dec 30 12:42 e1e98e770392fb555f1deca9822030e3c1ace0f83ac609a4a3e4e630b6cc0507-app-icons.tar.gz
    -rw-r--r-- 1 root root 201175 Dec 27 10:34 ff5bf2144d08ba74f42d82cace81392ccb671db50afcb35cec1238ed02ad75e9-appdata.xml.gz
    -rw-r--r-- 1 root root   2444 Dec 31 10:36 repomd.xml
    -rw-r--r-- 1 root root    481 Dec 30 12:41 repomd.xml.asc
    -rw-r--r-- 1 root root   1089 Dec 30 12:41 repomd.xml.key
    And, they still do not show up in Yast -> Software Repositories -> GPG Keys. But the timestamps of the repository definition (*.repo) files in /etc/zypp/repos.d were updated.

    Then, while I was still trying to sort this out and determine what more info I might be able to provide, Software Updates triggered/launched and again told me, "A security trust relationship is not present..."

    Running "zypper up" shows that the key for home:ecsos needs to be trusted, again. And, looking at the repository Index at http://download.opensuse.org/reposit...42.1/repodata/ shows that the key files have been modified today.

    Does zypper use the "Last modified" timestamp of the key files to determine if a key needs to be re-trusted?

    Maybe the following info can help (paying attention to http-download.opensuse.org-756b260e).

    Code:
    linux-pvlm:/var/cache/zypp/raw # ll
    total 0
    drwxr-xr-x 1 root root 236 Dec 14 12:10 download.opensuse.org-non-oss
    drwxr-xr-x 1 root root  44 Dec 30 09:53 download.opensuse.org-non-oss_1
    drwxr-xr-x 1 root root 264 Dec 14 12:10 download.opensuse.org-oss
    drwxr-xr-x 1 root root  44 Dec 30 14:52 download.opensuse.org-oss_1
    drwxr-xr-x 1 root root  44 Dec 31 09:58 ftp.gwdg.de-suse
    drwxr-xr-x 1 root root  44 Dec 29 00:33 http-download.opensuse.org-756b260e
    drwxr-xr-x 1 root root  44 Dec 30 12:42 http-download.opensuse.org-d2043906
    drwxr-xr-x 1 root root 264 Dec 14 07:09 openSUSE-42.1-0
    drwxr-xr-x 1 root root  44 Dec 30 14:53 repo-update
    linux-pvlm:/var/cache/zypp/raw # ll http-download.opensuse.org-756b260e/repodata
    total 316
    -rw-r--r-- 1 root root  33451 Dec 26 02:58 13b0613f5c31db13ccd02252608c9b9f5866b289a92432adcee0cf5ae0b38bc9-appdata.xml.gz
    -rw-r--r-- 1 root root  41906 Dec 29 00:33 d48d8adde88049e3ba7ef3d21167c19ecba2fa219413f23eb461727f08096218-app-icons.tar.gz
    -rw-r--r-- 1 root root 225307 Dec 29 00:33 df382dd957f6feba4b1083837262068872bfb84c1b459ccdc9b6f7f3cb4c58f5-primary.xml.gz
    -rw-r--r-- 1 root root   2441 Dec 30 12:41 repomd.xml
    -rw-r--r-- 1 root root    189 Dec 29 00:33 repomd.xml.asc
    -rw-r--r-- 1 root root    999 Dec 29 00:33 repomd.xml.key
    linux-pvlm:/var/cache/zypp/raw # zypper up
    Retrieving repository 'home:ecsos' metadata ---------------------------------------------------------------------------------------------[\]
    
    New repository or package signing key received:
    
      Repository:       home:ecsos                                            
      Key Name:         home:ecsos OBS Project <home:ecsos@build.opensuse.org>
      Key Fingerprint:  4A0AD3A4 6EF60FC4 F263D732 9DF60496 523F2A20          
      Key Created:      Mon 21 Dec 2015 03:15:09 PM EST                       
      Key Expires:      Wed 28 Feb 2018 03:15:09 PM EST                       
      Rpm Name:         gpg-pubkey-523f2a20-56785dcd                          
    
    
    Do you want to reject the key, trust temporarily, or trust always? [r/t/a/? shows all options] (r):
    Then from a different terminal window:
    Code:
    linux-pvlm:/var/cache/zypp/raw # ll
    total 0
    drwxr-xr-x 1 root root 236 Dec 14 12:10 download.opensuse.org-non-oss
    drwxr-xr-x 1 root root  44 Dec 30 09:53 download.opensuse.org-non-oss_1
    drwxr-xr-x 1 root root 264 Dec 14 12:10 download.opensuse.org-oss
    drwxr-xr-x 1 root root  44 Dec 30 14:52 download.opensuse.org-oss_1
    drwxr-xr-x 1 root root  44 Dec 31 09:58 ftp.gwdg.de-suse
    drwxr-xr-x 1 root root  44 Dec 29 00:33 http-download.opensuse.org-756b260e
    drwxr-xr-x 1 root root  16 Dec 31 11:48 http-download.opensuse.org-756b260eBnoEJv
    drwxr-xr-x 1 root root  44 Dec 30 12:42 http-download.opensuse.org-d2043906
    drwxr-xr-x 1 root root 264 Dec 14 07:09 openSUSE-42.1-0
    drwxr-xr-x 1 root root  44 Dec 30 14:53 repo-update
    linux-pvlm:/var/cache/zypp/raw # cat http-download.opensuse.org-756b260e/repodata/repomd.xml.key
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: GnuPG v1.4.5 (GNU/Linux)
    
    mQGiBE49jDERBACkgPh1Nk+3nxaBIZejJYwu05DwiJWxHE9wH1xy66ZWw20D8qv1
    S6GU6IzWp9m12p+IH7LkCRuf7E4nR3jLNuULoS6OACqmE0EeVg1De1TxALInUrca
    PdTOTs8240kvrtGhlafxCaFM00sSnXuQ0fdnq2WHaJ1p/QcSzJgUAaZvzwCg7E8f
    OkMTx1MnfFIjXVVfFFDgm8cD/1Fpi0ARSAkVuGc3RijUI/sRPKCypHyIspIGHRyg
    p3v45GUGszM2+ySOHfT/jgV4zzui3J9+cPjMrkO3p80WHrip7EQnqW5I2A3khRRX
    zvppDrSfx5GGdC6Uc4lyq8vTE2SNgNWhNET0qtXCcYBcVP+bBloHZ5L0lWJvb81c
    EfKYA/4zX3MWdsc6iP6PWNCx76+Yx44Mv4Gk4uugoKrOg491y92bEWNuJGZ70YXu
    ex8K/G1BC7koSzLpKTFfbaCKqow0Kcof44tBO4BkZoGXasXeHUBG2dy8V6ajkzcu
    p1cXXSHvIZD4r9UTvIjBbYnsKMbWVfyBGm1PwBvniwSjWLUaqbQ2aG9tZTplY3Nv
    cyBPQlMgUHJvamVjdCA8aG9tZTplY3Nvc0BidWlsZC5vcGVuc3VzZS5vcmc+iGYE
    ExECACYFAlZ4Xc0CGwMFCQxZgZwGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRCd
    9gSWUj8qIMQJAKDi121hhq3+pAJgUdu8w7sfIPNQ+QCfWxwg7d+SdhkvV1jbM+E1
    c739edGIRgQTEQIABgUCTj2MMQAKCRA7MBG3a51lI458AJ0aR6KhO3DNbvDl71+w
    rl1a9kVd4wCfZBpA4dvtl1N2lx0ah/AvK4W/OBs=
    =tHHy
    -----END PGP PUBLIC KEY BLOCK-----
    linux-pvlm:/var/cache/zypp/raw # cat http-download.opensuse.org-756b260eBnoEJv/repodata/repomd.xml.key
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: GnuPG v1.4.5 (GNU/Linux)
    
    mQGiBE49jDERBACkgPh1Nk+3nxaBIZejJYwu05DwiJWxHE9wH1xy66ZWw20D8qv1
    S6GU6IzWp9m12p+IH7LkCRuf7E4nR3jLNuULoS6OACqmE0EeVg1De1TxALInUrca
    PdTOTs8240kvrtGhlafxCaFM00sSnXuQ0fdnq2WHaJ1p/QcSzJgUAaZvzwCg7E8f
    OkMTx1MnfFIjXVVfFFDgm8cD/1Fpi0ARSAkVuGc3RijUI/sRPKCypHyIspIGHRyg
    p3v45GUGszM2+ySOHfT/jgV4zzui3J9+cPjMrkO3p80WHrip7EQnqW5I2A3khRRX
    zvppDrSfx5GGdC6Uc4lyq8vTE2SNgNWhNET0qtXCcYBcVP+bBloHZ5L0lWJvb81c
    EfKYA/4zX3MWdsc6iP6PWNCx76+Yx44Mv4Gk4uugoKrOg491y92bEWNuJGZ70YXu
    ex8K/G1BC7koSzLpKTFfbaCKqow0Kcof44tBO4BkZoGXasXeHUBG2dy8V6ajkzcu
    p1cXXSHvIZD4r9UTvIjBbYnsKMbWVfyBGm1PwBvniwSjWLUaqbQ2aG9tZTplY3Nv
    cyBPQlMgUHJvamVjdCA8aG9tZTplY3Nvc0BidWlsZC5vcGVuc3VzZS5vcmc+iGYE
    ExECACYFAlZ4Xc0CGwMFCQxZgZwGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRCd
    9gSWUj8qIMQJAKDi121hhq3+pAJgUdu8w7sfIPNQ+QCfWxwg7d+SdhkvV1jbM+E1
    c739edGIRgQTEQIABgUCTj2MMQAKCRA7MBG3a51lI458AJ0aR6KhO3DNbvDl71+w
    rl1a9kVd4wCfZBpA4dvtl1N2lx0ah/AvK4W/OBs=
    =tHHy
    -----END PGP PUBLIC KEY BLOCK-----
    The key itself has not changed. But the ASC file (whatever that is exactly) has:
    Code:
    linux-pvlm:/var/cache/zypp/raw # cat http-download.opensuse.org-756b260e/repodata/repomd.xml.asc
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)
    
    iD8DBQBYZColnfYEllI/KiARAhv6AKC+kl863POeHbb4TMyF+8kfGZj/JQCbB1Mv
    lMsJRPow8mcyJxOTNMW1Iiw=
    =3+Fn
    -----END PGP SIGNATURE-----
    linux-pvlm:/var/cache/zypp/raw # cat http-download.opensuse.org-756b260eBnoEJv/repodata/repomd.xml.asc
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)
    
    iD8DBQBYZ27TnfYEllI/KiARAggTAJ0THMfclgGNxHaaz9CZAg2+IjKSbgCfTfDN
    VmcNAtpQ4mEQjo+7ZIV2apI=
    =6cZ8
    -----END PGP SIGNATURE-----
    I don't understand why the ASC file would have changed if the key didn't. And, is that why I have to keep re-trusting the key even though I have chosen to "always" trust it?

    Lee

  8. #8
    Join Date
    Mar 2011
    Location
    Sauerland
    Posts
    3,891

    Default AW: Do I have 'ghost' repo keys?

    As root (not sudo)
    Code:
    zypper clean -a && zypper ref

  9. #9
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,888

    Default Re: AW: Do I have 'ghost' repo keys?

    Quote Originally Posted by Sauerland View Post
    As root (not sudo)
    What's the difference?
    Henk van Velden

  10. #10
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,888

    Default Re: Do I have 'ghost' repo keys?

    Quote Originally Posted by tleedavidson View Post
    @hcvv, I did say, "I have to refresh either KDE:Extra or home:ecsos for Software Updates to work." [emphasis added] I thought that made it clear since I do not know what other name to use to refer to the system tray Software Updates. My mistake.
    Well, many people when reading the generic English language "Software Updates" term will think things like zypper up or the YaST equivalent (specially those who haven't the applet on their desktop). The meaning of my post is to spread that one should (not only) use generic terms, but at least tell/show exactly in technical terms what was done. Not only in this case, but in general. Will avoid a lot of confusion.

    In any case, enjoy the new year.
    Henk van Velden

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •