Chrome signature failure

baaldemon · February 5, 2025, 7:43pm

Running an update today I was greeted with a signature failure for chrome. Looking at my keyrings I have the keys installed, and taking a look at a public keyserver the key seems to have a valid binding signature Search results for '0x32ee5355a6bc6e42'
But the update is failing with no valid binding signature.

Is anyone else seeing this?

error: Subkey 32ee5355a6bc6e42 of key 7721f63bd38b4796 (Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>) has no valid binding signature
warning: /var/cache/zypp/packages/google-chrome/google-chrome-stable-133.0.6943.53-1.x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID a6bc6e42: NOTTRUSTED
error: Subkey e88979fb9b30acf2 of key 7721f63bd38b4796 (Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>) has no valid binding signature
error: Subkey e88979fb9b30acf2 of key 7721f63bd38b4796 (Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>) has no valid binding signature
error: Subkey 32ee5355a6bc6e42 of key 7721f63bd38b4796 (Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>) has no valid binding signature
error: Subkey 32ee5355a6bc6e42 of key 7721f63bd38b4796 (Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>) has no valid binding signature
        package google-chrome-stable-133.0.6943.53-1.x86_64 does not verify: Header V4 RSA/SHA512 Signature, key ID a6bc6e42: NOTTRUSTED
(2/2) Installing: google-chrome-stable-133.0.6943.53-1.x86_64 ......................................................................................[error]
Installation of google-chrome-stable-133.0.6943.53-1.x86_64 failed:
Error: Subprocess failed. Error: RPM failed: Command exited with status 2.

hui · February 5, 2025, 7:57pm

Works fine here on all machines. But an explanation and remedy for your issue is described by Google:
https://www.google.com/linuxrepositories/

myswtest · February 5, 2025, 9:10pm

Unfortunately, your output text didn’t show enough of what was shown BEFORE the errors.

I just did a zypper -vvvv up minutes ago (up, because I’m on Leap 15.6), but doesn’t matter, because I’m using the same Chrome.

# zypper -vvvv up
...
The following 28 packages are going to be upgraded:
...
  google-chrome-stable
    132.0.6834.159-1 -> 133.0.6943.53-1  x86_64
    google-chrome                        Google LLC
...
Retrieving: google-chrome-stable-133.0.6943.53-1.x86_64 (google-chrome)                           (27/28), 111.0 MiB
Retrieving: https://dl.google.com/linux/chrome/rpm/stable/x86_64/google-chrome-stable-133.0.6943.53-[done (105.8 MiB/s)]
...
(27/28) Installing: google-chrome-stable-133.0.6943.53-1.x86_64 ..................................................[done]
(28/28) Installing: brave-brow

I assume you added the dedicated Chrome repo from Google?
If not, please let us know.

baaldemon · February 5, 2025, 9:27pm

Yeah I added https://dl.google.com/linux/chrome/rpm/stable/x86_64 as a repo

It looks like for some reason that was using an old key, and deleting and reloading from that would not include all the new subkeys. Though after explictly downloading the new key and making sure its the one installed I am still getting an error.

Note I downloaded the standalone RPM to make testing easier.

I cleaned out the old keys, downloaded the key from the google link from above and you can see the A6BC6E42 key is part of the sub keys

#:~/Downloads> gpg --show-keys linux_signing_key.pub
pub   dsa1024 2007-03-08 [SC]
      4CCA1EAF950CEE4AB83976DCA040830F7FAC5991
uid                      Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>
sub   elg2048 2007-03-08 [E]
      9534C9C4130B4DC9927992BF4F30B6B4C07CB649

pub   rsa4096 2016-04-12 [SC]
      EB4C1BFD4F042F6DDDCCEC917721F63BD38B4796
uid                      Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>
sub   rsa4096 2016-04-12 [S] [expired: 2019-04-12]
      3B068FB4789ABE4AEFA3BB491397BC53640DB551
sub   rsa4096 2017-01-24 [S] [expired: 2020-01-24]
      3E50F6D3EC278FDEB655C8CA6494C6D6997C215E
sub   rsa4096 2019-07-22 [S] [expired: 2022-07-21]
      2F528D36D67B69EDF998D85778BD65473CB3BD13
sub   rsa4096 2021-10-26 [S] [expired: 2024-10-25]
      8461EFA0E74ABAE010DE66994EB27DB2A3B88B8B
sub   rsa4096 2023-02-15 [S] [expires: 2026-02-14]
      A5F483CD733A4EBAEA378B2AE88979FB9B30ACF2
sub   rsa4096 2024-01-30 [S] [expires: 2027-01-29]
      0F06FF86BEEAF4E71866EE5232EE5355A6BC6E42
sub   rsa4096 2025-01-07 [S] [expires: 2028-01-07]
      0E225917414670F4442C250DFD533C07C264648F

Following their command for diffing showing that is the key thats installed it looks like its good.

#:~/Downloads> diff <(gpg --show-keys <(sudo rpm -qi gpg-pubkey-7fac5991-* gpg-pubkey-d38b4796-*) 2> /dev/null)      <(gpg --show-keys linux_signing_key.pub) > /dev/null      && echo "Import successful" || echo "Import failed"
Import successful

However validating the RPM I am still showing that the key listed is not trusted.
key ID a6bc6e42: NOTTRUSTED

#:~/Downloads> rpm --verbose --checksig -v google-chrome-stable_current_x86_64.rpm D: loading keyring from rpmdb
D: opening  db index       /usr/lib/sysimage/rpm/Packages.db mode=0x0
D: opening  db index       /usr/lib/sysimage/rpm/Index.db mode=0x0
D: opening  db index       Name tag=1000
D: opening  db index       Basenames tag=1117
D: opening  db index       Group tag=1016
D: opening  db index       Requirename tag=1049
D: opening  db index       Providename tag=1047
D: opening  db index       Conflictname tag=1054
D: opening  db index       Obsoletename tag=1090
D: opening  db index       Triggername tag=1066
D: opening  db index       Dirnames tag=1118
D: opening  db index       Installtid tag=1128
D: opening  db index       Sigmd5 tag=261
D: opening  db index       Sha1header tag=269
D: opening  db index       Filetriggername tag=5069
D: opening  db index       Transfiletriggername tag=5079
D: opening  db index       Recommendname tag=5046
D: opening  db index       Suggestname tag=5049
D: opening  db index       Supplementname tag=5052
D: opening  db index       Enhancename tag=5055
D:  read h#       1 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-39db7c82-5f68629b to keyring
D:  read h#       2 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-3dbdc284-53674dd4 to keyring
D:  read h#    2119 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-c66b6eae-4491871e to keyring
D:  read h#    2280 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-222d23d0-5910b0f0 to keyring
D:  read h#    5265 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-df7587c3-576a5c23 to keyring
D: added subkey 0 of main key gpg-pubkey-df7587c3-576a5c23 to keyring
D:  read h#    5331 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-29b700a4-62b07e22 to keyring
D:  read h#   45872 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-c8da93d2-457aded7 to keyring
D:  read h#   68160 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-db27fd5a-62589a51 to keyring
D:  read h#   75520 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-1abd1afb-450ef738 to keyring
D:  read h#   76391 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-5104960e-5bbc7d64 to keyring
D:  read h#   84094 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-3fa1d6ce-63c9481c to keyring
D:  read h#   84095 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-09d9ea69-645b99ce to keyring
D:  read h#   89279 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-7fac5991-45f06f46 to keyring
D:  read h#   89280 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-d38b4796-570c8cd3 to keyring
D: added subkey 0 of main key gpg-pubkey-d38b4796-570c8cd3 to keyring
D: added subkey 1 of main key gpg-pubkey-d38b4796-570c8cd3 to keyring
D: added subkey 2 of main key gpg-pubkey-d38b4796-570c8cd3 to keyring
D: added subkey 3 of main key gpg-pubkey-d38b4796-570c8cd3 to keyring
D: added subkey 4 of main key gpg-pubkey-d38b4796-570c8cd3 to keyring
D: added subkey 5 of main key gpg-pubkey-d38b4796-570c8cd3 to keyring
D: added subkey 6 of main key gpg-pubkey-d38b4796-570c8cd3 to keyring
google-chrome-stable_current_x86_64.rpm:
error: Subkey 32ee5355a6bc6e42 of key 7721f63bd38b4796 (Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>) has no valid binding signature
error: Subkey 32ee5355a6bc6e42 of key 7721f63bd38b4796 (Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>) has no valid binding signature
    Header V4 RSA/SHA512 Signature, key ID a6bc6e42: NOTTRUSTED
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V4 RSA/SHA512 Signature, key ID a6bc6e42: NOTTRUSTED
    MD5 digest: OK
D: closed   db index       Enhancename
D: closed   db index       Supplementname
D: closed   db index       Suggestname
D: closed   db index       Recommendname
D: closed   db index       Transfiletriggername
D: closed   db index       Filetriggername
D: closed   db index       Sha1header
D: closed   db index       Sigmd5
D: closed   db index       Installtid
D: closed   db index       Dirnames
D: closed   db index       Triggername
D: closed   db index       Obsoletename
D: closed   db index       Conflictname
D: closed   db index       Providename
D: closed   db index       Requirename
D: closed   db index       Group
D: closed   db index       Basenames
D: closed   db index       Name
D: closed   db index       /usr/lib/sysimage/rpm/Index.db
D: closed   db index       /usr/lib/sysimage/rpm/Packages.db

phumms88 · February 6, 2025, 5:10am

I had this same issue. Trying to remove and re-add the signing key had no real impact. I was able to install (upgrade) by using rpm directly

rpm -Uvh --nosignature <rpm_package>

baaldemon · February 6, 2025, 3:33pm

Yeah I know how to bypass the signature, but I dont want to. It should validate that the package is what is expected and hasnt been tampered with. Im at a loss for why when I see the specific subkey in the chain that its still saying its not trusted.

hui · February 6, 2025, 3:50pm

Please run a zypper dup. There was an update for rpm. It fixes the issue.

baaldemon · February 6, 2025, 3:55pm

Thank you. Ran a dup that pulled in the update for rpm. Signature is now verifying as expected.

#:~/Downloads> rpm --verbose --checksig -v google-chrome-stable_current_x86_64.rpm 
D: loading keyring from rpmdb
D: opening  db index       /usr/lib/sysimage/rpm/Packages.db mode=0x0
D: opening  db index       /usr/lib/sysimage/rpm/Index.db mode=0x0
D: opening  db index       Name tag=1000
D: opening  db index       Basenames tag=1117
D: opening  db index       Group tag=1016
D: opening  db index       Requirename tag=1049
D: opening  db index       Providename tag=1047
D: opening  db index       Conflictname tag=1054
D: opening  db index       Obsoletename tag=1090
D: opening  db index       Triggername tag=1066
D: opening  db index       Dirnames tag=1118
D: opening  db index       Installtid tag=1128
D: opening  db index       Sigmd5 tag=261
D: opening  db index       Sha1header tag=269
D: opening  db index       Filetriggername tag=5069
D: opening  db index       Transfiletriggername tag=5079
D: opening  db index       Recommendname tag=5046
D: opening  db index       Suggestname tag=5049
D: opening  db index       Supplementname tag=5052
D: opening  db index       Enhancename tag=5055
D:  read h#       1 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-39db7c82-5f68629b to keyring
D:  read h#       2 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-3dbdc284-53674dd4 to keyring
D:  read h#    2119 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-c66b6eae-4491871e to keyring
D:  read h#    2280 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-222d23d0-5910b0f0 to keyring
D:  read h#    5265 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-df7587c3-576a5c23 to keyring
D: added subkey 0 of main key gpg-pubkey-df7587c3-576a5c23 to keyring
D:  read h#    5331 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-29b700a4-62b07e22 to keyring
D:  read h#   45872 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-c8da93d2-457aded7 to keyring
D:  read h#   68160 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-db27fd5a-62589a51 to keyring
D:  read h#   75520 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-1abd1afb-450ef738 to keyring
D:  read h#   76391 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-5104960e-5bbc7d64 to keyring
D:  read h#   84094 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-3fa1d6ce-63c9481c to keyring
D:  read h#   84095 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-09d9ea69-645b99ce to keyring
D:  read h#   89279 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-7fac5991-45f06f46 to keyring
D:  read h#   89280 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-d38b4796-570c8cd3 to keyring
D: added subkey 0 of main key gpg-pubkey-d38b4796-570c8cd3 to keyring
D: added subkey 1 of main key gpg-pubkey-d38b4796-570c8cd3 to keyring
D: added subkey 2 of main key gpg-pubkey-d38b4796-570c8cd3 to keyring
D: added subkey 3 of main key gpg-pubkey-d38b4796-570c8cd3 to keyring
D: added subkey 4 of main key gpg-pubkey-d38b4796-570c8cd3 to keyring
D: added subkey 5 of main key gpg-pubkey-d38b4796-570c8cd3 to keyring
D: added subkey 6 of main key gpg-pubkey-d38b4796-570c8cd3 to keyring
google-chrome-stable_current_x86_64.rpm:
    Header V4 RSA/SHA512 Signature, key ID a6bc6e42: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V4 RSA/SHA512 Signature, key ID a6bc6e42: OK
    MD5 digest: OK
D: closed   db index       Enhancename
D: closed   db index       Supplementname
D: closed   db index       Suggestname
D: closed   db index       Recommendname
D: closed   db index       Transfiletriggername
D: closed   db index       Filetriggername
D: closed   db index       Sha1header
D: closed   db index       Sigmd5
D: closed   db index       Installtid
D: closed   db index       Dirnames
D: closed   db index       Triggername
D: closed   db index       Obsoletename
D: closed   db index       Conflictname
D: closed   db index       Providename
D: closed   db index       Requirename
D: closed   db index       Group
D: closed   db index       Basenames
D: closed   db index       Name
D: closed   db index       /usr/lib/sysimage/rpm/Index.db
D: closed   db index       /usr/lib/sysimage/rpm/Packages.db

system · February 13, 2025, 3:55pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.