Do I have 'ghost' repo keys?

I recently did a fresh install of Leap 42.1. I have added only three non-standard repos: Packman, KDE:Extra, and home:ecsos:

me@linux-pvlm:~> zypper lr -d
#  | Alias                               | Name                                    | Enabled | GPG Check | Refresh | Priority | Type   | URI                                                                       | Service
---+-------------------------------------+-----------------------------------------+---------+-----------+---------+----------+--------+---------------------------------------------------------------------------+--------
 1 | download.opensuse.org-non-oss       | Main Repository (NON-OSS)               | Yes     | (r ) Yes  | Yes     |   99     | yast2  | http://download.opensuse.org/distribution/leap/42.1/repo/non-oss/         |        
 2 | download.opensuse.org-non-oss_1     | Update Repository (Non-Oss)             | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/update/leap/42.1/non-oss/                    |        
 3 | download.opensuse.org-oss           | Main Repository (OSS)                   | Yes     | (r ) Yes  | Yes     |   99     | yast2  | http://download.opensuse.org/distribution/leap/42.1/repo/oss/             |        
 4 | download.opensuse.org-oss_1         | Main Update Repository                  | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/update/leap/42.1/oss                         |        
 5 | ftp.gwdg.de-suse                    | Packman Repository                      | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://ftp.gwdg.de/pub/linux/packman/suse/openSUSE_Leap_42.1/             |        
 6 | http-download.opensuse.org-756b260e | home:ecsos                              | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/repositories/home:/ecsos/openSUSE_Leap_42.1/ |        
 7 | http-download.opensuse.org-d2043906 | KDE:Extra                               | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/repositories/KDE:/Extra/openSUSE_Leap_42.1/  |        
 8 | openSUSE-42.1-0                     | openSUSE-42.1-0                         | Yes     | (r ) Yes  | No      |   99     | yast2  | cd:///?devices=/dev/disk/by-id/ata-PLDS_DVD-ROM_DH-16D5S                  |        
 9 | repo-debug                          | openSUSE-Leap-42.1-Debug                | No      | ----      | Yes     |   99     | NONE   | http://download.opensuse.org/debug/distribution/leap/42.1/repo/oss/       |        
10 | repo-debug-non-oss                  | openSUSE-Leap-42.1-Debug-Non-Oss        | No      | ----      | Yes     |   99     | NONE   | http://download.opensuse.org/debug/distribution/leap/42.1/repo/non-oss/   |        
11 | repo-debug-update                   | openSUSE-Leap-42.1-Update-Debug         | No      | ----      | Yes     |   99     | NONE   | http://download.opensuse.org/debug/update/leap/42.1/oss                   |        
12 | repo-debug-update-non-oss           | openSUSE-Leap-42.1-Update-Debug-Non-Oss | No      | ----      | Yes     |   99     | NONE   | http://download.opensuse.org/debug/update/leap/42.1/non-oss/              |                                                                    
13 | repo-source                         | openSUSE-Leap-42.1-Source               | No      | ----      | Yes     |   99     | NONE   | http://download.opensuse.org/source/distribution/leap/42.1/repo/oss/      |                                                                    
14 | repo-update                         | openSUSE-Leap-42.1-Update               | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/update/leap/42.1/oss/                        |                                                                    

I have no issue with the Packman repo key, but, almost daily, I have to refresh either KDE:Extra or home:ecsos for Software Updates to work.

Even though I have chosen to import the untrusted keys, neither of them shows up in the Yast Software Repositories’ GPG Keys window. The only ones listed are:
openSUSE Project Signing Key <opensuse@opensuse.org>; Finger Print: 22C07BA534178CD02EFE22AAB88B2FD43DBDC284
PackMan Project (signing key) <packman@links2linux.de>; Finger Print: F8875B880D518B6B8C530D1345A1D0671ABD1AFB

I don’t know if this is caused by:

  1. a problem with the integrity of my local repository management, or
  2. the fact that the KDE:Extra and home:ecsos repository key files are modified (though the key is not changed) almost daily:
    http://download.opensuse.org/repositories/KDE:/Extra/openSUSE_Leap_42.1/repodata/
    http://download.opensuse.org/repositories/home:/ecsos/openSUSE_Leap_42.1/repodata/

Or something else.

What can I do so that I do not have to constantly refresh these repos?

Exactly what do you mean with “refresh” ??

You have set the refresh flag on the repos so they will be refreshed when you update. So not clear what you are refreshing :stuck_out_tongue:

I am having to manually refresh the ‘troubled’ repositories.

When Software Updates (in the system tray) runs, it gives me an error saying that there is an untrusted key and therefore no update is executed. I have to go in to Yast -> Software Repositories, highlight the repo (KDE:Extra or home:ecsos) and click Refresh Selected from the Refresh drop-down menu.

After doing that, the key does not appear in the list of keys in the “GPG Keys…” dialog, but an update will then execute with no errors. I have to keep doing this manual refresh almost daily.

Does that explain it better?

You did not explain that in your first post. You apparently thought that “everybody” will do the same thing the same way as you do them. This is not the case.

When Software Updates (in the system tray) runs, it gives me an error saying that there is an untrusted key and therefore no update is executed.

Open a Konsole/Terminal, switch to root and than run:

zypper up

Maybe you can than trust the Keys from the Repos.

Or post the complete Output from Konsole her in Code-Tags.

Sounds like for some reason at least one of your repos is mis-configured and even when you are challenged for its GPG keys and you accept, it’s accepted only for that one time instead of the option “always.” You probably have seen this when you updated manually but chose the wrong option.

In any case, I’m guessing (because your problem is rather unique, most people choose the right option), running the following command should fix your problem completely

zypper --gpg-auto-import-keys ref

The above fixes all your repos, after that any time your system invokes patches or updates you shouldn’t be bothered about gpg keys (until you add a new repo).

TSU

@hcvv, I did say, “I have to refresh either KDE:Extra or home:ecsos for Software Updates to work.” [emphasis added] I thought that made it clear since I do not know what other name to use to refer to the system tray Software Updates. My mistake.

@Sauerland, it doesn’t seem to matter if I use Yast or “zypper up” to trust the keys. The issue remains. I have even removed and re-added the repos, and that didn’t fix it.

@tsu2, whenever I used “zypper up”, I chose to trust the keys “always”. I thought that was the right option.

Following your advice:

me@linux-pvlm:/etc/zypp/repos.d> sudo zypper --gpg-auto-import-keys ref
root's password:
Repository 'Main Repository (NON-OSS)' is up to date.                                                                                       
Repository 'Update Repository (Non-Oss)' is up to date.                                                                                     
Repository 'Main Repository (OSS)' is up to date.                                                                                           
Repository 'Main Update Repository' is up to date.                                                                                          
Repository 'Packman Repository' is up to date.                                                                                              
Repository 'KDE:Extra' is up to date.                                                                                                       
Repository 'openSUSE-42.1-0' is up to date.                                                                                                 
Repository 'openSUSE-Leap-42.1-Update' is up to date.                                                                                       
All repositories have been refreshed.                                                                                                       

The relevant keys do not appear to have been refreshed (home:ecsos & KDE:Extra, respectively):

me@linux-pvlm:/var/cache/zypp/raw/http-download.opensuse.org-756b260e/repodata> ll
total 316
-rw-r--r-- 1 root root  33451 Dec 26 02:58 13b0613f5c31db13ccd02252608c9b9f5866b289a92432adcee0cf5ae0b38bc9-appdata.xml.gz
-rw-r--r-- 1 root root  41906 Dec 29 00:33 d48d8adde88049e3ba7ef3d21167c19ecba2fa219413f23eb461727f08096218-app-icons.tar.gz
-rw-r--r-- 1 root root 225307 Dec 29 00:33 df382dd957f6feba4b1083837262068872bfb84c1b459ccdc9b6f7f3cb4c58f5-primary.xml.gz
-rw-r--r-- 1 root root   2441 Dec 30 12:41 repomd.xml
-rw-r--r-- 1 root root    189 Dec 29 00:33 repomd.xml.asc
-rw-r--r-- 1 root root    999 Dec 29 00:33 repomd.xml.key

me@linux-pvlm:/var/cache/zypp/raw/http-download.opensuse.org-d2043906/repodata> ll
total 760
-rw-r--r-- 1 root root 422147 Dec 30 12:42 4e3913693b90d1082b241a2cffa8134db57a53351e11f0b2a540962bb6b31aa8-primary.xml.gz
-rw-r--r-- 1 root root 133741 Dec 30 12:42 e1e98e770392fb555f1deca9822030e3c1ace0f83ac609a4a3e4e630b6cc0507-app-icons.tar.gz
-rw-r--r-- 1 root root 201175 Dec 27 10:34 ff5bf2144d08ba74f42d82cace81392ccb671db50afcb35cec1238ed02ad75e9-appdata.xml.gz
-rw-r--r-- 1 root root   2444 Dec 31 10:36 repomd.xml
-rw-r--r-- 1 root root    481 Dec 30 12:41 repomd.xml.asc
-rw-r--r-- 1 root root   1089 Dec 30 12:41 repomd.xml.key

And, they still do not show up in Yast → Software Repositories → GPG Keys. But the timestamps of the repository definition (*.repo) files in /etc/zypp/repos.d were updated.

Then, while I was still trying to sort this out and determine what more info I might be able to provide, Software Updates triggered/launched and again told me, “A security trust relationship is not present…”

Running “zypper up” shows that the key for home:ecsos needs to be trusted, again. And, looking at the repository Index at http://download.opensuse.org/repositories/home:/ecsos/openSUSE_Leap_42.1/repodata/ shows that the key files have been modified today.

Does zypper use the “Last modified” timestamp of the key files to determine if a key needs to be re-trusted?

Maybe the following info can help (paying attention to http-download.opensuse.org-756b260e).

linux-pvlm:/var/cache/zypp/raw # ll
total 0
drwxr-xr-x 1 root root 236 Dec 14 12:10 download.opensuse.org-non-oss
drwxr-xr-x 1 root root  44 Dec 30 09:53 download.opensuse.org-non-oss_1
drwxr-xr-x 1 root root 264 Dec 14 12:10 download.opensuse.org-oss
drwxr-xr-x 1 root root  44 Dec 30 14:52 download.opensuse.org-oss_1
drwxr-xr-x 1 root root  44 Dec 31 09:58 ftp.gwdg.de-suse
drwxr-xr-x 1 root root  44 Dec 29 00:33 http-download.opensuse.org-756b260e
drwxr-xr-x 1 root root  44 Dec 30 12:42 http-download.opensuse.org-d2043906
drwxr-xr-x 1 root root 264 Dec 14 07:09 openSUSE-42.1-0
drwxr-xr-x 1 root root  44 Dec 30 14:53 repo-update
linux-pvlm:/var/cache/zypp/raw # ll http-download.opensuse.org-756b260e/repodata
total 316
-rw-r--r-- 1 root root  33451 Dec 26 02:58 13b0613f5c31db13ccd02252608c9b9f5866b289a92432adcee0cf5ae0b38bc9-appdata.xml.gz
-rw-r--r-- 1 root root  41906 Dec 29 00:33 d48d8adde88049e3ba7ef3d21167c19ecba2fa219413f23eb461727f08096218-app-icons.tar.gz
-rw-r--r-- 1 root root 225307 Dec 29 00:33 df382dd957f6feba4b1083837262068872bfb84c1b459ccdc9b6f7f3cb4c58f5-primary.xml.gz
-rw-r--r-- 1 root root   2441 Dec 30 12:41 repomd.xml
-rw-r--r-- 1 root root    189 Dec 29 00:33 repomd.xml.asc
-rw-r--r-- 1 root root    999 Dec 29 00:33 repomd.xml.key
linux-pvlm:/var/cache/zypp/raw # zypper up
Retrieving repository 'home:ecsos' metadata ---------------------------------------------------------------------------------------------\]

New repository or package signing key received:

  Repository:       home:ecsos                                            
  Key Name:         home:ecsos OBS Project <home:ecsos@build.opensuse.org>
  Key Fingerprint:  4A0AD3A4 6EF60FC4 F263D732 9DF60496 523F2A20          
  Key Created:      Mon 21 Dec 2015 03:15:09 PM EST                       
  Key Expires:      Wed 28 Feb 2018 03:15:09 PM EST                       
  Rpm Name:         gpg-pubkey-523f2a20-56785dcd                          


Do you want to reject the key, trust temporarily, or trust always? [r/t/a/? shows all options] (r):

Then from a different terminal window:

linux-pvlm:/var/cache/zypp/raw # ll
total 0
drwxr-xr-x 1 root root 236 Dec 14 12:10 download.opensuse.org-non-oss
drwxr-xr-x 1 root root  44 Dec 30 09:53 download.opensuse.org-non-oss_1
drwxr-xr-x 1 root root 264 Dec 14 12:10 download.opensuse.org-oss
drwxr-xr-x 1 root root  44 Dec 30 14:52 download.opensuse.org-oss_1
drwxr-xr-x 1 root root  44 Dec 31 09:58 ftp.gwdg.de-suse
drwxr-xr-x 1 root root  44 Dec 29 00:33 http-download.opensuse.org-756b260e
drwxr-xr-x 1 root root  16 Dec 31 11:48 http-download.opensuse.org-756b260eBnoEJv
drwxr-xr-x 1 root root  44 Dec 30 12:42 http-download.opensuse.org-d2043906
drwxr-xr-x 1 root root 264 Dec 14 07:09 openSUSE-42.1-0
drwxr-xr-x 1 root root  44 Dec 30 14:53 repo-update
linux-pvlm:/var/cache/zypp/raw # cat http-download.opensuse.org-756b260e/repodata/repomd.xml.key
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.5 (GNU/Linux)

mQGiBE49jDERBACkgPh1Nk+3nxaBIZejJYwu05DwiJWxHE9wH1xy66ZWw20D8qv1
S6GU6IzWp9m12p+IH7LkCRuf7E4nR3jLNuULoS6OACqmE0EeVg1De1TxALInUrca
PdTOTs8240kvrtGhlafxCaFM00sSnXuQ0fdnq2WHaJ1p/QcSzJgUAaZvzwCg7E8f
OkMTx1MnfFIjXVVfFFDgm8cD/1Fpi0ARSAkVuGc3RijUI/sRPKCypHyIspIGHRyg
p3v45GUGszM2+ySOHfT/jgV4zzui3J9+cPjMrkO3p80WHrip7EQnqW5I2A3khRRX
zvppDrSfx5GGdC6Uc4lyq8vTE2SNgNWhNET0qtXCcYBcVP+bBloHZ5L0lWJvb81c
EfKYA/4zX3MWdsc6iP6PWNCx76+Yx44Mv4Gk4uugoKrOg491y92bEWNuJGZ70YXu
ex8K/G1BC7koSzLpKTFfbaCKqow0Kcof44tBO4BkZoGXasXeHUBG2dy8V6ajkzcu
p1cXXSHvIZD4r9UTvIjBbYnsKMbWVfyBGm1PwBvniwSjWLUaqbQ2aG9tZTplY3Nv
cyBPQlMgUHJvamVjdCA8aG9tZTplY3Nvc0BidWlsZC5vcGVuc3VzZS5vcmc+iGYE
ExECACYFAlZ4Xc0CGwMFCQxZgZwGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRCd
9gSWUj8qIMQJAKDi121hhq3+pAJgUdu8w7sfIPNQ+QCfWxwg7d+SdhkvV1jbM+E1
c739edGIRgQTEQIABgUCTj2MMQAKCRA7MBG3a51lI458AJ0aR6KhO3DNbvDl71+w
rl1a9kVd4wCfZBpA4dvtl1N2lx0ah/AvK4W/OBs=
=tHHy
-----END PGP PUBLIC KEY BLOCK-----
linux-pvlm:/var/cache/zypp/raw # cat http-download.opensuse.org-756b260eBnoEJv/repodata/repomd.xml.key
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.5 (GNU/Linux)

mQGiBE49jDERBACkgPh1Nk+3nxaBIZejJYwu05DwiJWxHE9wH1xy66ZWw20D8qv1
S6GU6IzWp9m12p+IH7LkCRuf7E4nR3jLNuULoS6OACqmE0EeVg1De1TxALInUrca
PdTOTs8240kvrtGhlafxCaFM00sSnXuQ0fdnq2WHaJ1p/QcSzJgUAaZvzwCg7E8f
OkMTx1MnfFIjXVVfFFDgm8cD/1Fpi0ARSAkVuGc3RijUI/sRPKCypHyIspIGHRyg
p3v45GUGszM2+ySOHfT/jgV4zzui3J9+cPjMrkO3p80WHrip7EQnqW5I2A3khRRX
zvppDrSfx5GGdC6Uc4lyq8vTE2SNgNWhNET0qtXCcYBcVP+bBloHZ5L0lWJvb81c
EfKYA/4zX3MWdsc6iP6PWNCx76+Yx44Mv4Gk4uugoKrOg491y92bEWNuJGZ70YXu
ex8K/G1BC7koSzLpKTFfbaCKqow0Kcof44tBO4BkZoGXasXeHUBG2dy8V6ajkzcu
p1cXXSHvIZD4r9UTvIjBbYnsKMbWVfyBGm1PwBvniwSjWLUaqbQ2aG9tZTplY3Nv
cyBPQlMgUHJvamVjdCA8aG9tZTplY3Nvc0BidWlsZC5vcGVuc3VzZS5vcmc+iGYE
ExECACYFAlZ4Xc0CGwMFCQxZgZwGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRCd
9gSWUj8qIMQJAKDi121hhq3+pAJgUdu8w7sfIPNQ+QCfWxwg7d+SdhkvV1jbM+E1
c739edGIRgQTEQIABgUCTj2MMQAKCRA7MBG3a51lI458AJ0aR6KhO3DNbvDl71+w
rl1a9kVd4wCfZBpA4dvtl1N2lx0ah/AvK4W/OBs=
=tHHy
-----END PGP PUBLIC KEY BLOCK-----

The key itself has not changed. But the ASC file (whatever that is exactly) has:

linux-pvlm:/var/cache/zypp/raw # cat http-download.opensuse.org-756b260e/repodata/repomd.xml.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQBYZColnfYEllI/KiARAhv6AKC+kl863POeHbb4TMyF+8kfGZj/JQCbB1Mv
lMsJRPow8mcyJxOTNMW1Iiw=
=3+Fn
-----END PGP SIGNATURE-----
linux-pvlm:/var/cache/zypp/raw # cat http-download.opensuse.org-756b260eBnoEJv/repodata/repomd.xml.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQBYZ27TnfYEllI/KiARAggTAJ0THMfclgGNxHaaz9CZAg2+IjKSbgCfTfDN
VmcNAtpQ4mEQjo+7ZIV2apI=
=6cZ8
-----END PGP SIGNATURE-----

I don’t understand why the ASC file would have changed if the key didn’t. And, is that why I have to keep re-trusting the key even though I have chosen to “always” trust it?

As root (not sudo)

zypper clean -a && zypper ref

What’s the difference?

Well, many people when reading the generic English language “Software Updates” term will think things like zypper up or the YaST equivalent (specially those who haven’t the applet on their desktop). The meaning of my post is to spread that one should (not only) use generic terms, but at least tell/show exactly in technical terms what was done. Not only in this case, but in general. Will avoid a lot of confusion.

In any case, enjoy the new year.

@ Sauerland, following your advice:

linux-pvlm:/home/terry # zypper clean -a && zypper ref
All repositories have been cleaned up.
Retrieving repository 'Main Repository (NON-OSS)' metadata ...........................................................................[done]
Building repository 'Main Repository (NON-OSS)' cache ................................................................................[done]
Retrieving repository 'Update Repository (Non-Oss)' metadata .........................................................................[done]
Building repository 'Update Repository (Non-Oss)' cache ..............................................................................[done]
Retrieving repository 'Main Repository (OSS)' metadata ...............................................................................[done]
Building repository 'Main Repository (OSS)' cache ....................................................................................[done]
Retrieving repository 'Main Update Repository' metadata ..............................................................................[done]
Building repository 'Main Update Repository' cache ...................................................................................[done]
Retrieving repository 'Packman Repository' metadata ..................................................................................[done]
Building repository 'Packman Repository' cache .......................................................................................[done]
Retrieving repository 'home:ecsos' metadata ---------------------------------------------------------------------------------------------/]

New repository or package signing key received:

  Repository:       home:ecsos                                            
  Key Name:         home:ecsos OBS Project <home:ecsos@build.opensuse.org>
  Key Fingerprint:  4A0AD3A4 6EF60FC4 F263D732 9DF60496 523F2A20          
  Key Created:      Mon 21 Dec 2015 03:15:09 PM EST                       
  Key Expires:      Wed 28 Feb 2018 03:15:09 PM EST                       
  Rpm Name:         gpg-pubkey-523f2a20-56785dcd                          


Do you want to reject the key, trust temporarily, or trust always? [r/t/a/? shows all options] (r): a
Retrieving repository 'home:ecsos' metadata ..........................................................................................[done]
Building repository 'home:ecsos' cache ...............................................................................................[done]
Retrieving repository 'KDE:Extra' metadata ----------------------------------------------------------------------------------------------|]

New repository or package signing key received:                                                                                             
                                                                                                                                            
  Repository:       KDE:Extra                                                                                                               
  Key Name:         KDE:Extra OBS Project <KDE:Extra@build.opensuse.org>                                                                    
  Key Fingerprint:  1A04160E 8C77D8FE 43CA364B 20F8C4F4 0D210A40                                                                            
  Key Created:      Thu 27 Oct 2016 03:38:47 PM EDT                                                                                         
  Key Expires:      Sat 05 Jan 2019 02:38:46 PM EST                                                                                         
  Rpm Name:         gpg-pubkey-0d210a40-581257c7                                                                                            
                                                                                                                                            
                                                                                                                                            
Do you want to reject the key, trust temporarily, or trust always? [r/t/a/? shows all options] (r): a                                       
Retrieving repository 'KDE:Extra' metadata ...........................................................................................[done]
Building repository 'KDE:Extra' cache ................................................................................................[done]
Repository 'openSUSE-42.1-0' is up to date.                                                                                                 
Building repository 'openSUSE-42.1-0' cache ..........................................................................................[done]
Retrieving repository 'openSUSE-Leap-42.1-Update' metadata ...........................................................................[done]
Building repository 'openSUSE-Leap-42.1-Update' cache ................................................................................[done]
All repositories have been refreshed.

It appears that all (but one) key directories have been updated:

linux-pvlm:/home/terry # ll /var/cache/zypp/raw
total 0                                                                                                                                     
drwxr-xr-x 1 root root 236 Dec 31 14:20 download.opensuse.org-non-oss                                                                       
drwxr-xr-x 1 root root  44 Dec 31 14:20 download.opensuse.org-non-oss_1                                                                     
drwxr-xr-x 1 root root 264 Dec 31 14:20 download.opensuse.org-oss                                                                           
drwxr-xr-x 1 root root  44 Dec 31 14:21 download.opensuse.org-oss_1                                                                         
drwxr-xr-x 1 root root  44 Dec 31 14:21 ftp.gwdg.de-suse                                                                                    
drwxr-xr-x 1 root root  44 Dec 31 14:22 http-download.opensuse.org-756b260e                                                                 
drwxr-xr-x 1 root root  44 Dec 31 14:22 http-download.opensuse.org-d2043906                                                                 
drwxr-xr-x 1 root root 264 Dec 14 07:09 openSUSE-42.1-0                                                                                     
drwxr-xr-x 1 root root  44 Dec 31 14:22 repo-update

But the two ‘troubled’ keys still do not show in Yast -> Software Repositories -> GPG Keys.

I manually forced the Software Updates to Check For Updates, and there were no errors. Unless there is something else I should do in the meantime, I will wait and see if this fixed the issue going forward. I’ll report back.

Well “zypper clean -a && zypper ref” (as root) didn’t fix it. The Software Updates applet is again telling me, “A security trust relationship is not present…” And, “zypper up” shows that again the home:ecsos repository signing key is new.

linux-pvlm:~ # zypper up
Retrieving repository 'home:ecsos' metadata ---------------------------------------------------------------------------------------------\]

New repository or package signing key received:

  Repository:       home:ecsos                                            
  Key Name:         home:ecsos OBS Project <home:ecsos@build.opensuse.org>
  Key Fingerprint:  4A0AD3A4 6EF60FC4 F263D732 9DF60496 523F2A20          
  Key Created:      Mon 21 Dec 2015 03:15:09 PM EST                       
  Key Expires:      Wed 28 Feb 2018 03:15:09 PM EST                       
  Rpm Name:         gpg-pubkey-523f2a20-56785dcd                          

A look at http://download.opensuse.org/repositories/home:/ecsos/openSUSE_Leap_42.1/repodata/ shows that the timestamps of the key files have again been modified. The content of the key itself (repomd.xml.key) has not changed, but the content of repomd.xml and repomd.xml.asc have.

Why would these files, especially the signature file (ASC), be changing almost daily? Is that the problem?

Should I try manually importing the key into Yast -> Software Repositories -> GPG Keys? If so, which file should I use (ie. KEY or ASC)?

Just a thought.

As this seems to be peculiar to the ecsos home repo, try to contact the owner to ask what he is doing?

Okay. How? How does one find the contact point for a repository’s owner?

Well, I do not use home repos, nor did I ever feel an urge to contact anybody there. But with some fantasy and a bit of adventurous exploration …

As your post somewhere says:

<home:ecsos@build.opensuse.org>

I used my browser to visit build.opensuse.org
In the Search field I searched for ecsos.
In the project I tried the link Users and landed at Eric Schira.
Now over to you. Maybe you have to login there. Try the same username/password as you use here.

Yes, I had already engaged in a bit of that. I took a different route than you, starting at software.opensuse.org. But, I ended up at, I assume, the same page as you:
Profile of ecsos - openSUSE Build Service

I saw no contact point there, and so I went ahead and asked here.

I think the important tip is, yes, you can and do have to log in. I found it surprising since I don’t participate in any Build projects, but your forum username and password work there as well.

Once I logged in, and email address appeared. I have sent him a message. We’ll see.

Thank you.

openSUSE has a central log in facility. The same works for e.g.
https://bugzilla.opensuse.org/index.cgi
https://features.opensuse.org/

Often even without you having to log in on them when you are already loged in in the forums. :wink:

Well I got a response from the owner of the ‘home:ecsos’ repository. He stated that, if I understand correctly, he has no control over the modification of the files in the repository’s repodata directory and does not experience any problem with the repo. And, he suggested basically the same as has been advised here: “zypper up” with accept the key “always”.

So, since it bothered me that the keys for both ‘KDE:Extra’ and ‘home:ecsos’ do not get listed in the Yast -> Repository Management -> GPG Keys dialog, I did some further research.

According to https://forums.opensuse.org/showthread.php/512615-How-do-I-un-trust-a-repo , to un-trust a repository’s key, one must delete it from the rpm db. So, conversely, that should mean that when a key is trusted, it is added to the rpm db. Correct?

Well, when I trust these two relevant keys “always”, they are not getting added to the rpm db.

linux-pvlm:/var/cache/zypp/raw # rpm -q gpg-pubkey
gpg-pubkey-3dbdc284-53674dd4
gpg-pubkey-1abd1afb-54176598

Using a script I found linked at https://forums.opensuse.org/showthread.php/498433-Where-does-zypper-install-the-repository-or-package-signing-keys , I have determined that the above keys in the rpm db belong to ‘openSUSE Project’ and ‘Packman Project’, respectively. And, I have no problem whatsoever with these two repos.

So then I cleaned the ‘KDE:Extra’ and ‘home:ecsos’ repositories to force the “trust” question:

linux-pvlm:/var/cache/zypp/raw # zypper clean -a 6 7
Specified repositories have been cleaned up.
linux-pvlm:/var/cache/zypp/raw # zypper lr -d
#  | Alias                               | Name                                    | Enabled | GPG Check | Refresh | Priority | Type   | URI                                                                       | Service
---+-------------------------------------+-----------------------------------------+---------+-----------+---------+----------+--------+---------------------------------------------------------------------------+--------
 1 | download.opensuse.org-non-oss       | Main Repository (NON-OSS)               | Yes     | (r ) Yes  | Yes     |   99     | yast2  | http://download.opensuse.org/distribution/leap/42.1/repo/non-oss/         |        
 2 | download.opensuse.org-non-oss_1     | Update Repository (Non-Oss)             | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/update/leap/42.1/non-oss/                    |        
 3 | download.opensuse.org-oss           | Main Repository (OSS)                   | Yes     | (r ) Yes  | Yes     |   99     | yast2  | http://download.opensuse.org/distribution/leap/42.1/repo/oss/             |        
 4 | download.opensuse.org-oss_1         | Main Update Repository                  | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/update/leap/42.1/oss                         |        
 5 | ftp.gwdg.de-suse                    | Packman Repository                      | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://ftp.gwdg.de/pub/linux/packman/suse/openSUSE_Leap_42.1/             |        
 6 | http-download.opensuse.org-3d59838f | home:ecsos                              | Yes     | ( p) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/repositories/home:/ecsos/openSUSE_Leap_42.1/ |        
 7 | http-download.opensuse.org-fdb1b215 | KDE:Extra                               | Yes     | ( p) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/repositories/KDE:/Extra/openSUSE_Leap_42.1/  |        
 8 | openSUSE-42.1-0                     | openSUSE-42.1-0                         | Yes     | (r ) Yes  | No      |   99     | yast2  | cd:///?devices=/dev/disk/by-id/ata-PLDS_DVD-ROM_DH-16D5S                  |        
 9 | repo-debug                          | openSUSE-Leap-42.1-Debug                | No      | ----      | Yes     |   99     | NONE   | http://download.opensuse.org/debug/distribution/leap/42.1/repo/oss/       |        
10 | repo-debug-non-oss                  | openSUSE-Leap-42.1-Debug-Non-Oss        | No      | ----      | Yes     |   99     | NONE   | http://download.opensuse.org/debug/distribution/leap/42.1/repo/non-oss/   |        
11 | repo-debug-update                   | openSUSE-Leap-42.1-Update-Debug         | No      | ----      | Yes     |   99     | NONE   | http://download.opensuse.org/debug/update/leap/42.1/oss                   |        
12 | repo-debug-update-non-oss           | openSUSE-Leap-42.1-Update-Debug-Non-Oss | No      | ----      | Yes     |   99     | NONE   | http://download.opensuse.org/debug/update/leap/42.1/non-oss/              |        
13 | repo-source                         | openSUSE-Leap-42.1-Source               | No      | ----      | Yes     |   99     | NONE   | http://download.opensuse.org/source/distribution/leap/42.1/repo/oss/      |        

Then refreshed them:

linux-pvlm:/var/cache/zypp/raw # zypper ref 6 7
Retrieving repository 'home:ecsos' metadata ---------------------------------------------------------------------------------------------\]

New repository or package signing key received:

  Repository:       home:ecsos                                            
  Key Name:         home:ecsos OBS Project <home:ecsos@build.opensuse.org>
  Key Fingerprint:  4A0AD3A4 6EF60FC4 F263D732 9DF60496 523F2A20          
  Key Created:      Mon 21 Dec 2015 03:15:09 PM EST                       
  Key Expires:      Wed 28 Feb 2018 03:15:09 PM EST                       
  Rpm Name:         gpg-pubkey-523f2a20-56785dcd                          


Do you want to reject the key, trust temporarily, or trust always? [r/t/a/? shows all options] (r): a
Retrieving repository 'home:ecsos' metadata ..........................................................................................[done]
Building repository 'home:ecsos' cache ...............................................................................................[done]
Retrieving repository 'KDE:Extra' metadata ----------------------------------------------------------------------------------------------/]

New repository or package signing key received:

  Repository:       KDE:Extra                                           
  Key Name:         KDE:Extra OBS Project <KDE:Extra@build.opensuse.org>
  Key Fingerprint:  1A04160E 8C77D8FE 43CA364B 20F8C4F4 0D210A40        
  Key Created:      Thu 27 Oct 2016 03:38:47 PM EDT                     
  Key Expires:      Sat 05 Jan 2019 02:38:46 PM EST                     
  Rpm Name:         gpg-pubkey-0d210a40-581257c7                        


Do you want to reject the key, trust temporarily, or trust always? [r/t/a/? shows all options] (r): a
Retrieving repository 'KDE:Extra' metadata ...........................................................................................[done]
Building repository 'KDE:Extra' cache ................................................................................................[done]
Specified repositories have been refreshed.

Yet they still have not been added to the rpm db:

linux-pvlm:/var/cache/zypp/raw # rpm -q gpg-pubkey
gpg-pubkey-3dbdc284-53674dd4
gpg-pubkey-1abd1afb-54176598

They should be there, shouldn’t they? Or have I been spinning my wheels on something that has no bearing on the issue?

And the winner is … #1.

The RPM database was corrupted.

For anyone else experiencing this, here’s what I did.

After rebuilding the RPM DB with “rpmdb --rebuilddb”, quite a few duplicate gpg-pubkeys showed up:

linux-pvlm:/ # rpmdb --rebuilddb
linux-pvlm:/ # rpm -q gpg-pubkey
gpg-pubkey-1abd1afb-54176598
gpg-pubkey-0d210a40-581257c6
gpg-pubkey-523f2a20-56785dcd
gpg-pubkey-0d210a40-581257c6
gpg-pubkey-523f2a20-56785dcd
gpg-pubkey-523f2a20-56785dcd
gpg-pubkey-0d210a40-581257c6
gpg-pubkey-523f2a20-56785dcd
gpg-pubkey-0d210a40-581257c6
gpg-pubkey-0d210a40-581257c6
gpg-pubkey-523f2a20-56785dcd
gpg-pubkey-523f2a20-56785dcd
gpg-pubkey-523f2a20-56785dcd
gpg-pubkey-0d210a40-581257c6
gpg-pubkey-0d210a40-581257c6
gpg-pubkey-0d210a40-581257c6
gpg-pubkey-523f2a20-56785dcd
gpg-pubkey-523f2a20-56785dcd
gpg-pubkey-523f2a20-56785dcd
gpg-pubkey-17280ddf-5656e0be
gpg-pubkey-0d210a40-581257c6
gpg-pubkey-0d210a40-581257c6
gpg-pubkey-523f2a20-56785dcd
gpg-pubkey-0d210a40-581257c6
gpg-pubkey-0d210a40-581257c6                                                                                                                
gpg-pubkey-0d210a40-581257c6                                                                                                                
gpg-pubkey-0d210a40-581257c6                                                                                                                
gpg-pubkey-523f2a20-56785dcd                                                                                                                
gpg-pubkey-3dbdc284-53674dd4                                                                                                                
gpg-pubkey-523f2a20-56785dcd                                                                                                                
gpg-pubkey-0d210a40-581257c6                                                                                                                
gpg-pubkey-0d210a40-581257c6                                                                                                                
gpg-pubkey-0d210a40-581257c6                                                                                                                
gpg-pubkey-0d210a40-581257c6                                                                                                                
gpg-pubkey-17280ddf-5656e0be                                                                                                                
gpg-pubkey-0d210a40-581257c6                                                                                                                
gpg-pubkey-0d210a40-581257c6                                                                                                                
gpg-pubkey-0d210a40-581257c6                                                                                                                
gpg-pubkey-0d210a40-581257c6                                                                                                                
gpg-pubkey-0d210a40-581257c6                                                                                                                
gpg-pubkey-523f2a20-56785dcd                                                                                                                
gpg-pubkey-0d210a40-581257c6                                                                                                                
gpg-pubkey-0d210a40-581257c6                                                                                                                
gpg-pubkey-0d210a40-581257c6                                                                                                                
gpg-pubkey-523f2a20-56785dcd                                                                                                                
gpg-pubkey-523f2a20-56785dcd                                                                                                                
gpg-pubkey-523f2a20-56785dcd                                                                                                                
gpg-pubkey-0d210a40-581257c6                                                                                                                
gpg-pubkey-17280ddf-5656e0be                                                                                                                
gpg-pubkey-6867f5be-4d77cecd                                                                                                                
gpg-pubkey-523f2a20-56785dcd                                                                                                                
gpg-pubkey-523f2a20-56785dcd                                                                                                                

I removed all the duplicates with “rpm -e --allmatches [dup-gpg-key]”. This left me with two, unique gpg-pubkeys; the keys for the repos which had no issues.

Then (as root), “zypper clean --all” followed by “zypper --gpg-auto-import-keys ref” left me with four unique gpg-pubkeys in the RPM DB as there should be. And those four keys also properly show up in Yast -> Software Repositories -> GPG Keys.

Updates now work as they should.