The expired key is not listed in the output of the command, hence why I don’t think you get a warning, doing the same command as yours in Leap 15.4 does listed the expired key as
gpg-pubkey-307e3d54-5aaa90a5.asc?fpr=4E98E67519D98DC7362A5990E3A5C360307E3D54
I think the reason why you don’t get a warning is because your output doesn’t list the expired key, if I do the same command my output does list the expired key
zypper lr repo-non-oss
Alias : repo-non-oss
Name : Non-OSS Repository
URI : http://download.opensuse.org/distribution/leap/15.4/repo/non-oss/
Enabled : Yes
GPG Check : (r) Yes
Priority : 99 (default priority)
Autorefresh : On
Keep Packages : Off
Type : rpm-md
GPG Key URI :
Path Prefix :
Parent Service :
Keywords : [5]
gpg-pubkey-307e3d54-5aaa90a5.asc?fpr=4E98E67519D98DC7362A5990E3A5C360307E3D54
If I delete the key through yast2 and then do the following commands the key will get re added, in the output below you can see the expiration date. The expired date can also be seen in yast2 when you select an individual GPG key
zypper clean --all
zypper ref
Retrieving repository 'Update repository of openSUSE Backports' metadata ....................................................................................................................................[done]
Building repository 'Update repository of openSUSE Backports' cache .........................................................................................................................................[done]
Retrieving repository 'Non-OSS Repository' metadata -------------------------------------------------------------------------------------------------------------------------------------------------------------]
Note: Received 1 new package signing key from repository Non-OSS Repository:
Those additional keys are usually used to sign packages shipped by the repository. In order to
validate those packages upon download and installation the new keys will be imported into the rpm
database.
New:
Key Fingerprint: 4E98 E675 19D9 8DC7 362A 5990 E3A5 C360 307E 3D54
Key Name: SuSE Package Signing Key <build@suse.de>
Key Algorithm: RSA 1024
Key Created: Thu 15 Mar 2018 09:26:29 AM MDT
Key Expires: Mon 14 Mar 2022 09:26:29 AM MDT (EXPIRED)
Rpm Name: gpg-pubkey-307e3d54-5aaa90a5
The repository metadata introducing the new keys have been signed and validated by the trusted
key:
Repository: Non-OSS Repository
Key Fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
Key Name: openSUSE Project Signing Key <opensuse@opensuse.org>
Key Algorithm: RSA 2048
Key Created: Mon 05 May 2014 02:37:40 AM MDT
Key Expires: Thu 02 May 2024 02:37:40 AM MDT
Rpm Name: gpg-pubkey-3dbdc284-53674dd4
Thanks for the details, I tried Yast and I saw 4 keys that are expired:
Key: 27C070176F88BB2F
- Name: KDE OBS Project <KDE@build.opensuse.org>
- Finger Print: 4E8E6DE2961F3083EAC5008627C070176F88BB2F
- Created: 2019-01-02
- Expires: 2021-03-12 (The key is expired.)
Key: 69D1B2AAEE3D166A
- Name: security OBS Project <security@build.opensuse.org>
- Finger Print: AAF3EB044C49C402A9E7B9AE69D1B2AAEE3D166A
- Created: 2018-11-03
- Expires: 2021-01-11 (The key is expired.)
Key: 70AF9E8139DB7C82
- Name: SuSE Package Signing Key <build@suse.de>
- Finger Print: FEAB502539D846DB2C0961CA70AF9E8139DB7C82
- Created: 2016-12-07
- Expires: 2020-12-06 (The key is expired.)
Key: 9C214D4065176565
- Name: openSUSE:Backports OBS Project <openSUSE:Backports@build.opensuse.org>
- Finger Print: 637B32FF3D83F07A7AE1C40A9C214D4065176565
- Created: 2019-10-02
- Expires: 2021-12-10 (The key is expired.)
The remainder of the keys is not expired
I did delete these key using Yast and did run “sudo zypper ref”, that runs fine without additional messages about keys but after that the last key in the list above (openSUSE:Backports OBS Project) I silently added again.
Tried that and “sudo zypper ref” and that once more runs fine without additional messages about keys but after that the last key.
Then tried “sudo zypper clean --all” and then zypper ref is triggering:
[FONT=monospace]Retrieving repository 'repo-non-oss' metadata ----------------------------------------------------------------------------------------------------------------------------------------------------------------------/]
Note: Received 1 new package signing key from repository "repo-non-oss":
Those additional keys are usually used to sign packages shipped by the repository. In order to
validate those packages upon download and installation the new keys will be imported into the rpm
database.
New:
Key Fingerprint: FEAB 5025 39D8 46DB 2C09 61CA 70AF 9E81 39DB 7C82
Key Name: SuSE Package Signing Key <build@suse.de>
Key Algorithm: RSA 2048
Key Created: Mon 21 Sep 2020 10:21:47 CEST
Key Expires: Fri 20 Sep 2024 10:21:47 CEST
Rpm Name: gpg-pubkey-39db7c82-5f68629b
The repository metadata introducing the new keys have been signed and validated by the trusted
key:
Repository: repo-non-oss
Key Fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
Key Name: openSUSE Project Signing Key <opensuse@opensuse.org>
Key Algorithm: RSA 2048
Key Created: Mon 05 May 2014 10:37:40 CEST
Key Expires: Thu 02 May 2024 10:37:40 CEST
Rpm Name: gpg-pubkey-3dbdc284-53674dd4[/FONT]
So for me the repo-non-oss seems to be signed with the openSUSE Project Signing Key and that expires May 2024
I still have one expired key named openSUSE:Backports OBS Project but that does not trigger any warnings, not sure that makes sense to me.
Like I said, I would not worry too much about these expired keys, they are a way to make sure zypper is connecting with a computer that has the same key, did you ever verify one of these keys (using the fingerprint) against another source before trusting them? If not, it is not logical to start worrying now. Still if there is an actual problem, it is better solved.
To elaborate. RPM signature allows checking the package origin, verifying package file before installation and verifying package metadata (header) in RPM database after installation. None of these is going away after key expiration dare. So what are your concerns?