Signature verification failed

Subzero01 · January 8, 2020, 2:25am

Hi
When I started my computer today, I got a message pop-up that said:

Fatal Error:Signature verification failed for file 'repomd.xml' from repository 'nVidia Graphics Drivers'.

When I run zypper it showed this:

Retrieving repository 'nVidia Graphics Drivers' metadata ------------------------\]
Signature verification failed for file 'repomd.xml' from repository 'nVidia Graphics Drivers'.

    Note: Signing data enables the recipient to verify that no modifications
    occurred after the data were signed. Accepting data with no, wrong or unknown
    signature can lead to a corrupted system and in extreme cases even to a system
    compromise.

    Note: File 'repomd.xml' is the repositories master index file. It ensures the
    integrity of the whole repo.

    Warning: This file was modified after it has been signed. This may have been a
    malicious change, so it might not be trustworthy anymore! You should not
    continue unless you know it's safe.

Signature verification failed for file 'repomd.xml' from repository 'nVidia Graphics Drivers'. Continue? [yes/no] (no):

Here are my repos:

Leap15:~ # zypper lr -d
#  | Alias                            | Name                                    | Enabled | GPG Check | Refresh | Priority | Type   | URI                                                                      | Service
---+----------------------------------+-----------------------------------------+---------+-----------+---------+----------+--------+--------------------------------------------------------------------------+--------
 1 | download.nvidia.com-leap         | nVidia Graphics Drivers                 | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | https://download.nvidia.com/opensuse/leap/15.0                           |        
 2 | http-opensuse-guide.org-8702b9e7 | libdvdcss repository                    | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://opensuse-guide.org/repo/openSUSE_Leap_15.0/                       |        
 3 | http-packman.inode.at-abdee5d1   | Packman Repository                      | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://packman.inode.at/suse/openSUSE_Leap_15.0/                         |        
 4 | openSUSE-Leap-15.0-1             | openSUSE-Leap-15.0-1                    | Yes     | (r ) Yes  | No      |   99     | rpm-md | cd:/?devices=/dev/disk/by-id/ata-DRW-24D5MT_K2OG5KA2357                  |        
 5 | repo-debug                       | openSUSE-Leap-15.0-Debug                | No      | ----      | ----    |   99     | NONE   | http://download.opensuse.org/debug/distribution/leap/15.0/repo/oss/      |        
 6 | repo-debug-non-oss               | openSUSE-Leap-15.0-Debug-Non-Oss        | No      | ----      | ----    |   99     | NONE   | http://download.opensuse.org/debug/distribution/leap/15.0/repo/non-oss/  |        
 7 | repo-debug-update                | openSUSE-Leap-15.0-Update-Debug         | No      | ----      | ----    |   99     | NONE   | http://download.opensuse.org/debug/update/leap/15.0/oss/                 |        
 8 | repo-debug-update-non-oss        | openSUSE-Leap-15.0-Update-Debug-Non-Oss | No      | ----      | ----    |   99     | NONE   | http://download.opensuse.org/debug/update/leap/15.0/non-oss/             |        
 9 | repo-non-oss                     | openSUSE-Leap-15.0-Non-Oss              | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/distribution/leap/15.0/repo/non-oss/        |        
10 | repo-oss                         | openSUSE-Leap-15.0-Oss                  | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/distribution/leap/15.0/repo/oss/

Should I press yes|no at the prompt?
thank you, your help in always appreciated

Max314 · January 8, 2020, 4:36am

I got the same notice on my Leap 15.0 system that the NVIDIA graphics drivers’ GPG key failed the integrity check.

Is the signature below the correct, authentic one for the NVIDIA graphics drivers?

If the NVIDIA key was signed with the openSUSE Project Signing Key (Key ID: B88B2FD43DBDC284), which it is not, we could know with some certainty NVIDA’s key is authentic; saving many people from wondering if NVIDIA’s key is genuine.

I also noticed whan manually checking the NVIDA repositories for Leap 15.0 and Leap 15.1 that the exact same key in Leap 15.0 is used in Leap 15.1, so the GPG key integrity check failure in Leap 15.0 is highly likely to be present in Leap 15.1 too. No?

Data for the GPG key in question:


Key: F5113243C66B6EAE
Name: NVIDIA Corporation <linux-bugs@nvidia.com>
Finger Print: 9B763D49D8A5C892FC178BACF5113243C66B6EAE
Created: 06/15/2006

Searching NVIDIA.com, including the developer part, did not yield any reference nor answers about this specific key.

The only place this specific key shows up on the entire Internet outside of opensuse.org, and publicly accessible key servers, which are not an authoritative answers to whether the key is genuine and valid is:
https://www.mythtv.org/wiki/Opensuse_10.2

nrickert · January 8, 2020, 4:58am

I just enable the nVidia repo on Leap 15.1 system, and attempted to refresh. And I get the same error. I then disabled (I don’t have an nvidia graphics card, so I don’t actually need that repo).

I checked that. If the problem was only for 15.0, I would remind you that it is past end-of-life. But since the problem also applies to 15.1, I guess that’s not the answer.

My usual advice, when I see this problem, is to wait a few hours and then try again. The repo may have some incomplete updates underway.

If this is holding up other updates, then I suggest that you temporarily disable the nvidia repo, and then do your other updates. You can re-enable and retest after a day or two. And if still broken at that time, maybe a bug report would be appropriate.

Sauerland · January 8, 2020, 7:10am

https://lists.opensuse.org/opensuse-buildservice/2020-01/msg00034.html

Max314 · January 9, 2020, 2:41am

When I refresh the NVIDIA repository today on my Leap 15.0 system, the NVIDIA graphics drivers’ GPG key does not fail the integrity check. So, the problem appears to be solved at least for Leap 15.0.

Max314 · January 9, 2020, 2:46am

nrickert, please do us a favor and check on your Leap 15.1 system if the the NVIDIA graphics drivers’ GPG key still fails the integrity check. I expect the problem will be resolved for Leap 15.1 too.

Thanks in advance.

nrickert · January 9, 2020, 4:43am

Yes, it is fine now for Leap 15.1. So it looks as if the repos have been properly rebuilt and the problem solved.

Somebody with Tumbleweed might want to chime in on the status there.

Max314 · January 10, 2020, 1:44am

Thank you nrickert!

I’m glad to know I can upgrade now to Leap 15.1 without the graphics repo being a problem.

nrickert · January 10, 2020, 2:25am

And you probably should upgrade, given that 15.0 is out of support.

Max314 · January 11, 2020, 3:31am

I was intending to upgrade just before the signature verification problem. When the Software Update applet notified me of the signature problem, I decided to delay the upgrade to make sure the problem would not be present in Leap 15.1.