Results 1 to 8 of 8

Thread: zypper refresh not automatically importing repository signing key even with --gpg-auto-import-keys o

  1. #1

    Default zypper refresh not automatically importing repository signing key even with --gpg-auto-import-keys o

    [Originally posted on https://github.com/openSUSE/zypper/issues/144]

    OS Details
    OS: openSUSE Leap 42.2 (using `opensuse:42.2` docker image)
    Zypper version: 1.13.32

    Code:
    bash-4.3# cat /etc/os-release 
    NAME="openSUSE Leap"
    VERSION="42.2"
    ID=opensuse
    ID_LIKE="suse"
    VERSION_ID="42.2"
    PRETTY_NAME="openSUSE Leap 42.2"
    ANSI_COLOR="0;32"
    CPE_NAME="cpe:/o:opensuse:leap:42.2"
    BUG_REPORT_URL="https://bugs.opensuse.org"
    HOME_URL="https://www.opensuse.org/"
    
    bash-4.3# zypper --version
    zypper 1.13.32

    Environment
    I have configured a repo to be used with zypper. The following shows the content of the `.repo` file:
    Code:
    bash-4.3# cat /etc/zypp/repos.d/gitlab_gitlab-ee.repo 
    [gitlab_gitlab-ee]
    name=gitlab_gitlab-ee
    baseurl=https://packages.gitlab.com/gitlab/gitlab-ee/opensuse/42.2/$basearch
    repo_gpgcheck=1
    pkg_gpgcheck=1
    enabled=1
    gpgkey=https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey
           https://packages.gitlab.com/gitlab/g...9FBD22.pub.gpg
    autorefresh=1
    type=rpm-md
    
    [gitlab_gitlab-ee-source]
    name=gitlab_gitlab-ee-source
    baseurl=https://packages.gitlab.com/gitlab/gitlab-ee/opensuse/42.2/SRPMS
    repo_gpgcheck=1
    pkg_gpgcheck=1
    enabled=1
    gpgkey=https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey
           https://packages.gitlab.com/gitlab/g...9FBD22.pub.gpg
    autorefresh=1
    type=rpm-md
    Problem
    Even if I provide `--gpg-auto-import-keys` option to the refresh command, zypper warns about me unknown key. Theoretically, it should be simply importing and trusting the key, but that is not happening.

    Code:
    bash-4.3# zypper --gpg-auto-import-keys refresh gitlab_gitlab-ee
    Retrieving repository 'gitlab_gitlab-ee' metadata ----------------------------------------------------------------------------------------------------------------------------[|]
    Warning: File 'repomd.xml' from repository 'gitlab_gitlab-ee' is signed with an unknown key '14219A96E15E78F4'.
    
        Note: Signing data enables the recipient to verify that no modifications occurred after the data
        were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
        and in extreme cases even to a system compromise.
    
        Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
        whole repo.
    
        Warning: We can't verify that no one meddled with this file, so it might not be trustworthy
        anymore! You should not continue unless you know it's safe.
    
    File 'repomd.xml' from repository 'gitlab_gitlab-ee' is signed with an unknown key '14219A96E15E78F4'. Continue? [yes/no] (no):
    I also tried the following to see if it fixed, with no luck.
    1. Run the command in non-interactive mode. Because the man page says
    --gpg-auto-import-keys
    If new repository signing key is found, do not ask what to do; trust and import it automatically. This
    option causes that the new key is imported also in non-interactive mode, where it would otherwise got
    rejected.
    2. Manually get the keys to my keychain using `gpg --recv-keys` and then trying zypper refresh

    Any help would be appreciated as I fail to see why this happens. Thanks.

  2. #2
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,140
    Blog Entries
    2

    Default Re: zypper refresh not automatically importing repository signing key even with --gpg-auto-import-ke

    Nothing wrong catches my eye although I'd suggest running your refresh command without specifying the repo name... The command without specifying the repo will automatically accept keys for all repos as needed, and removes a possible point of error (specifying the repo correctly).

    So, as follows(see if the following works)
    Code:
    zypper --gpg-auto-import-keys ref
    Also,
    To make your provided info complete (and incidentally possibly confirming mis-identifying the repo), you should also post the command you used to add the repo and/or the installed repo as follows(I'm suggesting the general command to list all your repos on the chance that specifying the individual repo might be faulty)
    Code:
    zypper lr -d
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  3. #3

    Default Re: zypper refresh not automatically importing repository signing key even with --gpg-auto-import-ke

    Hi tsu2,

    Quote Originally Posted by tsu2 View Post
    Nothing wrong catches my eye although I'd suggest running your refresh command without specifying the repo name... The command without specifying the repo will automatically accept keys for all repos as needed, and removes a possible point of error (specifying the repo correctly).

    So, as follows(see if the following works)
    Code:
    zypper --gpg-auto-import-keys ref
    Also,
    To make your provided info complete (and incidentally possibly confirming mis-identifying the repo), you should also post the command you used to add the repo and/or the installed repo as follows(I'm suggesting the general command to list all your repos on the chance that specifying the individual repo might be faulty)
    Code:
    zypper lr -d
    TSU
    Thanks for the reply. I manually added the repo by creating a file in /etc/zypp/repos.d and pasting the contents I gave above. The output of the command you suggested is
    Code:
    bash-4.3# zypper lr -d
    
    Repository priorities are without effect. All enabled repositories share the same priority.
    
    # | Alias                   | Name                    | Enabled | GPG Check | Refresh | Priority | Type   | URI                                                                    | Service
    --+-------------------------+-------------------------+---------+-----------+---------+----------+--------+------------------------------------------------------------------------+--------
    1 | NON OSS                 | NON OSS                 | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/distribution/leap/42.2/repo/non-oss/suse/ |        
    2 | NON OSS Update          | NON OSS Update          | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/update/leap/42.2/non-oss/                 |        
    3 | OSS                     | OSS                     | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/distribution/leap/42.2/repo/oss/suse/     |        
    4 | OSS Update              | OSS Update              | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/update/leap/42.2/oss/                     |        
    5 | gitlab_gitlab-ee        | gitlab_gitlab-ee        | Yes     | ( p) Yes  | Yes     |   99     | rpm-md | https://packages.gitlab.com/gitlab/gitlab-ee/opensuse/42.2/x86_64      |        
    6 | gitlab_gitlab-ee-source | gitlab_gitlab-ee-source | Yes     | ( p) Yes  | Yes     |   99     | rpm-md | https://packages.gitlab.com/gitlab/gitlab-ee/opensuse/42.2/SRPMS       |
    One thing that caught my eye is the (p) Yes under GPGCheck column. What does that mean? Will that have any effect?

    Also, trying refresh without specifying any repo name also didn't work
    Code:
    bash-4.3# zypper --gpg-auto-import-keys ref
    Repository 'NON OSS' is up to date.                                                                                                                                              
    Repository 'NON OSS Update' is up to date.                                                                                                                                       
    Repository 'OSS' is up to date.                                                                                                                                                  
    Repository 'OSS Update' is up to date.                                                                                                                                           
    Retrieving repository 'gitlab_gitlab-ee' metadata ----------------------------------------------------------------------------------------------------------------------------[|]
    Warning: File 'repomd.xml' from repository 'gitlab_gitlab-ee' is signed with an unknown key '14219A96E15E78F4'.
    
        Note: Signing data enables the recipient to verify that no modifications occurred after the data
        were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
        and in extreme cases even to a system compromise.
    
        Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
        whole repo.
    
        Warning: We can't verify that no one meddled with this file, so it might not be trustworthy
        anymore! You should not continue unless you know it's safe.
    
    File 'repomd.xml' from repository 'gitlab_gitlab-ee' is signed with an unknown key '14219A96E15E78F4'. Continue? [yes/no] (no):

  4. #4
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,670
    Blog Entries
    15

    Default Re: zypper refresh not automatically importing repository signingkey even with --gpg-auto-import-keys o

    On Sat 16 Dec 2017 03:36:01 PM CST, balasankarc wrote:

    Hi tsu2,

    tsu2;2848193 Wrote:
    > Nothing wrong catches my eye although I'd suggest running your refresh
    > command without specifying the repo name... The command without
    > specifying the repo will automatically accept keys for all repos as
    > needed, and removes a possible point of error (specifying the repo
    > correctly).
    >
    > So, as follows(see if the following works)
    > >

    Code:
    --------------------
    > > zypper --gpg-auto-import-keys ref

    --------------------
    > >

    >
    > Also,
    > To make your provided info complete (and incidentally possibly
    > confirming mis-identifying the repo), you should also post the command
    > you used to add the repo and/or the installed repo as follows(I'm
    > suggesting the general command to list all your repos on the chance
    > that specifying the individual repo might be faulty)
    > >

    Code:
    --------------------
    > > zypper lr -d

    --------------------
    > >

    >
    > TSU


    Thanks for the reply. I manually added the repo by creating a file in
    /etc/zypp/repos.d and pasting the contents I gave above. The output of
    the command you suggested is

    Code:
    --------------------


    bash-4.3# zypper lr -d

    Repository priorities are without effect. All enabled repositories
    share the same priority.
    # | Alias | Name | Enabled | GPG
    Check | Refresh | Priority | Type |
    URI
    | Service
    --+-------------------------+-------------------------+---------+-----------+---------+----------+--------+------------------------------------------------------------------------+--------
    1 | NON OSS | NON OSS | Yes | (r )
    Yes | Yes | 99 | rpm-md |
    http://download.opensuse.org/distrib.../non-oss/suse/
    | 2 | NON OSS Update | NON OSS Update | Yes | (r
    ) Yes | Yes | 99 | rpm-md |
    http://download.opensuse.org/update/leap/42.2/non-oss/
    | 3 | OSS | OSS | Yes | (r
    ) Yes | Yes | 99 | rpm-md |
    http://download.opensuse.org/distrib...repo/oss/suse/
    | 4 | OSS Update | OSS Update | Yes | (r
    ) Yes | Yes | 99 | rpm-md |
    http://download.opensuse.org/update/leap/42.2/oss/
    | 5 | gitlab_gitlab-ee | gitlab_gitlab-ee | Yes |
    ( p) Yes | Yes | 99 | rpm-md |
    https://packages.gitlab.com/gitlab/g...se/42.2/x86_64
    | 6 | gitlab_gitlab-ee-source | gitlab_gitlab-ee-source | Yes |
    ( p) Yes | Yes | 99 | rpm-md |
    https://packages.gitlab.com/gitlab/g...use/42.2/SRPMS
    | --------------------


    *One thing that caught my eye is the (p) Yes under GPGCheck column. What
    does that mean? Will that have any effect?
    *
    Also, trying refresh without specifying any repo name also didn't work

    Code:
    --------------------

    bash-4.3# zypper --gpg-auto-import-keys ref
    Repository 'NON OSS' is up to
    date. Repository 'NON OSS Update' is up to
    date. Repository 'OSS' is up to
    date. Repository 'OSS Update' is up to
    date. Retrieving repository 'gitlab_gitlab-ee' metadata
    ----------------------------------------------------------------------------------------------------------------------------[|]
    Warning: File 'repomd.xml' from repository 'gitlab_gitlab-ee' is signed
    with an unknown key '14219A96E15E78F4'. Note: Signing data enables the
    recipient to verify that no modifications occurred after the data were
    signed. Accepting data with no, wrong or unknown signature can lead to
    a corrupted system and in extreme cases even to a system compromise.
    Note: File 'repomd.xml' is the repositories master index file. It
    ensures the integrity of the whole repo.

    Warning: We can't verify that no one meddled with this file, so it
    might not be trustworthy anymore! You should not continue unless you
    know it's safe.
    File 'repomd.xml' from repository 'gitlab_gitlab-ee' is signed with
    an unknown key '14219A96E15E78F4'. Continue? [yes/no] (no):
    --------------------


    Hi
    Import the key;
    https://packages.gitlab.com/app/gitlab/gitlab-ee/gpg

    --
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    openSUSE Leap 42.2|GNOME 3.20.2|4.4.92-18.36-default
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!


  5. #5

    Default Re: zypper refresh not automatically importing repository signingkey even with --gpg-auto-import-key

    Hi malcolmlewis,

    Quote Originally Posted by malcolmlewis View Post
    The original question was why wasn't zypper auto-importing the key, as the flag is supposed to make it do. The key is available in public keyservers like pgp.mit.edu. Also, I had already tried out the following method
    1. Get the gpg key using `gpg --recv-keys <key id>
    2. Set ultimate trust
    2. Try zypper refresh

    But that too gave me the same result.

  6. #6

    Default Re: zypper refresh not automatically importing repository signingkey even with --gpg-auto-import-key

    Hi!

    Quote Originally Posted by balasankarc View Post
    The key is available in public keyservers like pgp.mit.edu.
    Are you sure?

  7. #7

    Default Re: zypper refresh not automatically importing repository signing key even with --gpg-auto-import-ke

    I managed to import the GPG key via Yast2 → Software Repositories → GPG Keys...

    But even after that, the repository seems to be empty:

    Code:
    zypper packages -r gitlab-runner
    Loading repository data...
    Reading installed packages...
    No packages found.
    Which is perhaps more of a problem?

  8. #8
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,140
    Blog Entries
    2

    Default Re: zypper refresh not automatically importing repository signing key even with --gpg-auto-import-ke

    When I open the URL of your repo in a web browser, I get an empty page when I expect to see various files including a repo definition file.

    So,
    You've got to fix that.

    Then,
    I'd also recommend adding your repo using the zypper command line because it leaves less possibility for making a mistake. For instance, I can't check because your path currently leads to an empty page but I would test whether your first entry for the GPG key is necessary or correct.

    I'd recommend first deleting (or moving elsewhere) your current repo file (client side) and then when the URL actually points to something running something like the following
    Code:
    zypper ar -f https://packages.gitlab.com/gitlab/gitlab-ee/opensuse/42.2/SRPMS && zypper --gpg-auto-import-keys ref
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •