I clicked Yes and then found google-chrome-stable in Software management and tried to install it. As soon as the package was downloaded I got a popup (I have replaced the codes with **** as I don’t know if they are of any security importance):
Error: INVALID:google-chrome-stable-51.0.2704.106-1.x86_64 (Google Chrome): Signature verification failed [4-Signatures public key is not available]
Header V4 DSA/SHA1 Signature, key ID ****: NOKEY
Header SHA1 digest: OK (****)
MD5 digest: OK (****)
V4 DSA/SHA1 Signature, key ID ****: NOKEY
And then 2 new Keys appeared in GPG keys in the repository manager in YaST. After that the installation was successful.
I removed the key starting with A040830… and was able to install google-chrome-stable again. (Tried the same with the other key before but that didn’t work - again error)
Why are there 2 keys for Google Inc? It seems one of them is useless/invalid and can be removed but why such a simple thing suddenly got so complicated? I never had this problem before when installing Google Chrome. (I am on a new fresh Leap system right now)
I hope someone with more experience can shed some light on this.
The first time, you agreed to the GPG key to authenticate the Repo.
The other error you’re seeing is different, it’s package code that Google properly requires authentication for a dependency (one of their own files) but doesn’t provide a key hash to compare to the dependency’s cert. So, the error you’re seeing is that although the dependency is supposed to prove it’s valid, someone didn’t provide the needed info to compare and validate.
If you understand that (or not) it should be clear that there is nothing you can do about it, it’s just a bug in the Google Chrome code, but unless you think someone is in a position to substitute a malware-infested version if the dependency, you can ignore the warning and authorize Chrome stable to be installed.
It doesn’t look like an error in the code but a problem with the downloading of the package. As I explained I could install it successfully. It is just this whole thing with the double keys which is confusing me. I don’t know how exactly this package signing works.
From what I’ve seen, it’s clearly a dependency validation and not the package itself or the repo… When you install the package, it will start and hang only in the middle of the install (not in the beginning).
Since the install allows you to continue without the hash check and the chances someone would be able to exploit the failed check is very minimal (requires very special circumstances), IMO it’s fairly safe to continue installing.