A new key for 15.5?

dufresnep · May 18, 2023, 9:33pm

paul@localhost:~> LANG=C sudo zypper update
[sudo] password for root: 

New repository or package signing key received:

  Repository:       Update repository of openSUSE Backports
  Key Fingerprint:  F044 C2C5 07A1 262B 538A AADD 8A49 EB03 25DB 7AE0
  Key Name:         openSUSE:Backports OBS Project <openSUSE:Backports@build.opensuse.org>
  Key Algorithm:    RSA 4096
  Key Created:      Wed May 10 10:46:12 2023
  Key Expires:      Sun May  9 10:46:12 2027
  Rpm Name:         gpg-pubkey-25db7ae0-645bae34

Key Name : openSUSE:Backports OBS Project openSUSE:Backports@build.opensuse.org
Key Fingerprint: 637B32FF 3D83F07A 7AE1C40A 9C214D40 65176565


Can I truse this new key?

nrickert · May 18, 2023, 11:07pm

I presume so.

You would not have received this package unless it was signed by a key that you already have.

This is probably part of the move to using 4096 bit keys. Previously the keys were 2048 bits.

arvidjaar · May 19, 2023, 4:09am

It is not a package. It is repository signing key which itself - as far as I know - is not signed by any of the previous keys. Which would be sensible addition actually.

You do not have any more - or less - reasons to trust it than when adding this repository as entirely new. I guess in this case it is simple majority - if most users see the same key accessing openSUSE repository then this is likely the actual content on openSUSE server and not the attempt to impersonate it. I confirm that I see the same key via rsync.