Expired suse package signing key for non-oss repo

English Install/Boot/Login
#1

Key: E3A5C360307E3D54
Name: SuSe Package Signing Key <build@suse.de>
Created: 03/15/2018
Expires: 03/14/2022 (The key is expired)

If I delete the key from yast2 and do a zypper ref the key gets readded as part of the non-oss repo

Is there any concerns with having this expired key? Any idea when a new one will be issued?

#2

Not a big risk to me to trust such an expired key.

I have repo-non-oss enabled in Tumbleweed and did just an update and did not see an warning on this.

> sudo zypper lr repo-non-oss
Alias : download.opensuse.org-non-oss
Name : repo-non-oss
URI : http://download.opensuse.org/tumbleweed/repo/non-oss/
Enabled : Yes
GPG Check : (r ) Yes
Priority : 99 (default priority)
Autorefresh : On
Keep Packages : Off
Type : rpm-md
GPG Key URI :
Path Prefix : /
Parent Service :
Keywords : [4]
gpg-pubkey-29b700a4-62b07e22.asc?fpr=AD485664E901B867051AB15F35A2F86E29B700A4
gpg-pubkey-39db7c82-5f68629b.asc?fpr=FEAB502539D846DB2C0961CA70AF9E8139DB7C82
gpg-pubkey-3dbdc284-53674dd4.asc?fpr=22C07BA534178CD02EFE22AAB88B2FD43DBDC284
pool
Repo Info Path : /etc/zypp/repos.d/download.opensuse.org-non-oss.repo
MD Cache Path : /var/cache/zypp/raw/download.opensuse.org-non-oss

#3

I found list, export and remove RPM GPG keys and after adding patching the script ($linux is nowadays opensuse) I could dump the key:


Name        : gpg-pubkey 
Version     : 29b700a4 
Release     : 62b07e22 
Architecture: (none) 
Install Date: Sat 03 Sep 2022 12:18:47 CEST 
Group       : Public Keys 
Size        : 0 
License     : pubkey 
Signature   : (none) 
Source RPM  : (none) 
Build Date  : Mon 20 Jun 2022 16:03:14 CEST 
Build Host  : localhost 
Packager    : openSUSE Project Signing Key <opensuse@opensuse.org> 
Summary     : openSUSE Project Signing Key <opensuse@opensuse.org> public key 
Description : 
-----BEGIN PGP PUBLIC KEY BLOCK----- 
Version: rpm-4.17.1 (NSS-3) 

mQINBGKwfiIBEADe9bKROWax5CI83KUly/ZRDtiCbiSnvWfBK1deAttV+qLTZ006 
090eQCOlMtcjhNe641Ahi/SwMsBLNMNich7/ddgNDJ99H8Oen6mBze00Z0Nlg2HZ 
VZibSFRYvg+tdivu83a1A1Z5U10Fovwc2awCVWs3i6/XrpXiKZP5/Pi3RV2K7VcG 
rt+TUQ3ygiCh1FhKnBfIGS+UMhHwdLUAQ5cB+7eAgba5kSvlWKRymLzgAPVkB/NJ 
uqjz+yPZ9LtJZXHYrjq9yaEy0J80Mn9uTmVggZqdTPWx5CnIWv7Y3fnWbkL/uhTR 
uDmNfy7a0ULB3qjJXMAnjLE/Oi14UE28XfMtlEmEEeYhtlPlH7hvFDgirRHN6kss 
BvOpT+UikqFhJ+IsarAqnnrEbD2nO7Jnt6wnYf9QWPnl93h2e0/qi4JqT9zw93zs 
fDENY/yhTuqqvgN6dqaD2ABBNeQENII+VpqjzmnEl8TePPCOb+pELQ7uk6j4D0j7 
slQjdns/wUHg8bGE3uMFcZFkokPv6Cw6Aby1ijqBe+qYB9ay7nki44OoOsJvirxv 
p00MRgsm+C8he+B8QDZNBWYiPkhHZBFi5GQSUY04FimR2BpudV9rJqbKP0UezEpc 
m3tmqLuIc9YCxqMt40tbQOUVSrtFcYlltJ/yTVxu3plUpwtJGQavCJM7RQARAQAB 
tDRvcGVuU1VTRSBQcm9qZWN0IFNpZ25pbmcgS2V5IDxvcGVuc3VzZUBvcGVuc3Vz 
ZS5vcmc+iQI+BBMBAgAoBQJisH4iAhsDBQkHhM4ABgsJCAcDAgYVCAIJCgsEFgID 
AQIeAQIXgAAKCRA1ovhuKbcApKRrEACJMhZhsPJBOkYmANvH5mqlk27brA3IZoM4 
8qTzERebzKa0ZH1fgRI/3DhrfBYL0M5XOb3+26Ize0pujyJQs61Nlo1ibtQqCoyu 
dvP/pmY1/Vr374wlMFBuCfAjdad4YXkbe7q7GGjo6cF89qtBfTqEtaRrfDgtPLx/ 
s9/WXLGo0XYqCCSPVoU66jQYNcCt3pH+hqytvntXJDhU+DveOnQCOSBBHhCMST3E 
QvriN/GnHf+sO19UmPpyHH0TM5Ru4vDrgzKYKT/CzbllfaJSk9cEuTY8Sv1sP/7B 
Z7YvOE0soIgM1sVg0u3R/2ROx0MKoLcq7EtLw64eE+wnw9bHYZQNmS+J/18p7Bo8 
I7e+8WRi+m/pus5FEWsIH1uhxKLgJGFDTHHGZtW+myjnUzXVIkpJGrKoolzYjHdK 
lRYM2fVuNI1eq6CZ6PFXg2UxovVczSnGMO33HZE09vpgkRDBrw1vF0o/Wnm02kig 
V6xYHk5wJx8vL74wPvCbw73UNT9OSdxYAz7JPqGOD6cpKe7XcAH2sYmlGpggAIUz 
Rq/lROEF5lx4SxB838JU4ezxD++BJXfBTE8JZmlGscXv74y9nCtSOZza8KOKj8ou 
WRl739FMnx9jRd7HHj3TIyymoveODnZ7f3IElyyFsjBW3XuQ9XfpZrIkwHuaZV5M 
6q2h+hgWNQ== 
=nMh8 
-----END PGP PUBLIC KEY BLOCK----- 

Distribution: (none)

I do not see a expatriation date…

#4

The expired key is not listed in the output of the command, hence why I don’t think you get a warning, doing the same command as yours in Leap 15.4 does listed the expired key as
gpg-pubkey-307e3d54-5aaa90a5.asc?fpr=4E98E67519D98DC7362A5990E3A5C360307E3D54

#5 
bor@10:~> rpm -qi gpg-pubkey-307e3d54-5aaa90a5 | gpg --show-key
pub   rsa1024 2006-03-21 [SC] [expired: 2022-03-14]
      4E98E67519D98DC7362A5990E3A5C360307E3D54
uid                      SuSE Package Signing Key <build@suse.de>


bor@10:~>
#6

I think the reason why you don’t get a warning is because your output doesn’t list the expired key, if I do the same command my output does list the expired key


zypper lr repo-non-oss
Alias          : repo-non-oss
Name           : Non-OSS Repository
URI            : http://download.opensuse.org/distribution/leap/15.4/repo/non-oss/
Enabled        : Yes
GPG Check      : (r) Yes
Priority       : 99 (default priority)
Autorefresh    : On
Keep Packages  : Off
Type           : rpm-md
GPG Key URI    : 
Path Prefix    : 
Parent Service : 
Keywords       : [5]
    gpg-pubkey-307e3d54-5aaa90a5.asc?fpr=4E98E67519D98DC7362A5990E3A5C360307E3D54

If I delete the key through yast2 and then do the following commands the key will get re added, in the output below you can see the expiration date. The expired date can also be seen in yast2 when you select an individual GPG key


zypper clean --all
zypper ref
Retrieving repository 'Update repository of openSUSE Backports' metadata ....................................................................................................................................[done]
Building repository 'Update repository of openSUSE Backports' cache .........................................................................................................................................[done]
Retrieving repository 'Non-OSS Repository' metadata -------------------------------------------------------------------------------------------------------------------------------------------------------------]
Note: Received 1 new package signing key from repository Non-OSS Repository:

  Those additional keys are usually used to sign packages shipped by the repository. In order to
  validate those packages upon download and installation the new keys will be imported into the rpm
  database.

  New:
  Key Fingerprint:  4E98 E675 19D9 8DC7 362A 5990 E3A5 C360 307E 3D54
  Key Name:         SuSE Package Signing Key <build@suse.de>
  Key Algorithm:    RSA 1024
  Key Created:      Thu 15 Mar 2018 09:26:29 AM MDT
  Key Expires:      Mon 14 Mar 2022 09:26:29 AM MDT (EXPIRED)
  Rpm Name:         gpg-pubkey-307e3d54-5aaa90a5

  The repository metadata introducing the new keys have been signed and validated by the trusted
  key:

  Repository:       Non-OSS Repository
  Key Fingerprint:  22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
  Key Name:         openSUSE Project Signing Key <opensuse@opensuse.org>
  Key Algorithm:    RSA 2048
  Key Created:      Mon 05 May 2014 02:37:40 AM MDT
  Key Expires:      Thu 02 May 2024 02:37:40 AM MDT
  Rpm Name:         gpg-pubkey-3dbdc284-53674dd4
#7

Can someone provide some input as to whether I should be concerned with the expired key? Any idea when a new key will be generated?

#8

zypper clean will delete information and refresh will restore it:

erlangen:~ #** zypper clean --all --repo non-oss **
Specified repositories have been cleaned up. 
erlangen:~ # **zypper repos non-oss** 
Alias          : non-oss 
Name           : Haupt-Repository (NON-OSS) 
URI            : https://mirrorcache-eu.opensuse.org/tumbleweed/repo/non-oss/ 
Enabled        : Yes 
GPG Check      : ( p) Yes 
Priority       : 99 (default priority) 
Autorefresh    : On 
Keep Packages  : On 
Type           : NONE 
GPG Key URI    :  
Path Prefix    : / 
Parent Service :  
**Keywords       : --- 
**Repo Info Path : /etc/zypp/repos.d/download.opensuse.org-non-oss.repo 
MD Cache Path  : /var/cache/zypp/raw/non-oss 
erlangen:~ # **zypper refresh --repo non-oss** 
Retrieving repository 'Haupt-Repository (NON-OSS)' metadata ............................................................................................................................................................................[done] 
Building repository 'Haupt-Repository (NON-OSS)' cache .................................................................................................................................................................................[done] 
Specified repositories have been refreshed. 
erlangen:~ # **zypper repos non-oss** 
Alias          : non-oss 
Name           : Haupt-Repository (NON-OSS) 
URI            : https://mirrorcache-eu.opensuse.org/tumbleweed/repo/non-oss/ 
Enabled        : Yes 
GPG Check      : (r ) Yes 
Priority       : 99 (default priority) 
Autorefresh    : On 
Keep Packages  : On 
Type           : rpm-md 
GPG Key URI    :  
Path Prefix    : / 
Parent Service :  
**Keywords       : [4] 
    gpg-pubkey-29b700a4-62b07e22.asc?fpr=AD485664E901B867051AB15F35A2F86E29B700A4 
    gpg-pubkey-39db7c82-5f68629b.asc?fpr=FEAB502539D846DB2C0961CA70AF9E8139DB7C82 
    gpg-pubkey-3dbdc284-53674dd4.asc?fpr=22C07BA534178CD02EFE22AAB88B2FD43DBDC284 
    pool 
**Repo Info Path : /etc/zypp/repos.d/download.opensuse.org-non-oss.repo 
MD Cache Path  : /var/cache/zypp/raw/non-oss 
erlangen:~ #
#9

Thanks for the details, I tried Yast and I saw 4 keys that are expired:

Key: 27C070176F88BB2F



  - Name: KDE OBS Project <KDE@build.opensuse.org> 
  - Finger Print: 4E8E6DE2961F3083EAC5008627C070176F88BB2F 
  - Created: 2019-01-02 
  - Expires: 2021-03-12 (The key is expired.) 


  Key: 69D1B2AAEE3D166A
 


  - Name: security OBS Project <security@build.opensuse.org> 
  - Finger Print: AAF3EB044C49C402A9E7B9AE69D1B2AAEE3D166A 
  - Created: 2018-11-03 
  - Expires: 2021-01-11 (The key is expired.) 


  Key: 70AF9E8139DB7C82
 


  - Name: SuSE Package Signing Key <build@suse.de> 
  - Finger Print: FEAB502539D846DB2C0961CA70AF9E8139DB7C82 
  - Created: 2016-12-07 
  - Expires: 2020-12-06 (The key is expired.) 


  Key: 9C214D4065176565
 


  - Name: openSUSE:Backports OBS Project <openSUSE:Backports@build.opensuse.org> 
  - Finger Print: 637B32FF3D83F07A7AE1C40A9C214D4065176565 
  - Created: 2019-10-02 
  - Expires: 2021-12-10 (The key is expired.)

The remainder of the keys is not expired
I did delete these key using Yast and did run “sudo zypper ref”, that runs fine without additional messages about keys but after that the last key in the list above (openSUSE:Backports OBS Project) I silently added again.

Tried that and “sudo zypper ref” and that once more runs fine without additional messages about keys but after that the last key.

Then tried “sudo zypper clean --all” and then zypper ref is triggering:


[FONT=monospace]Retrieving repository 'repo-non-oss' metadata ----------------------------------------------------------------------------------------------------------------------------------------------------------------------/] 
Note: Received 1 new package signing key from repository "repo-non-oss": 

  Those additional keys are usually used to sign packages shipped by the repository. In order to 
  validate those packages upon download and installation the new keys will be imported into the rpm 
  database. 

  New:
  Key Fingerprint:  FEAB 5025 39D8 46DB 2C09 61CA 70AF 9E81 39DB 7C82 
  Key Name:         SuSE Package Signing Key <build@suse.de> 
  Key Algorithm:    RSA 2048 
  Key Created:      Mon 21 Sep 2020 10:21:47 CEST 
  Key Expires:      Fri 20 Sep 2024 10:21:47 CEST 
  Rpm Name:         gpg-pubkey-39db7c82-5f68629b 

  The repository metadata introducing the new keys have been signed and validated by the trusted
  key:

  Repository:       repo-non-oss 
  Key Fingerprint:  22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284 
  Key Name:         openSUSE Project Signing Key <opensuse@opensuse.org> 
  Key Algorithm:    RSA 2048 
  Key Created:      Mon 05 May 2014 10:37:40 CEST 
  Key Expires:      Thu 02 May 2024 10:37:40 CEST 
  Rpm Name:         gpg-pubkey-3dbdc284-53674dd4[/FONT]

So for me the repo-non-oss seems to be signed with the openSUSE Project Signing Key and that expires May 2024
I still have one expired key named openSUSE:Backports OBS Project but that does not trigger any warnings, not sure that makes sense to me.

Like I said, I would not worry too much about these expired keys, they are a way to make sure zypper is connecting with a computer that has the same key, did you ever verify one of these keys (using the fingerprint) against another source before trusting them? If not, it is not logical to start worrying now. Still if there is an actual problem, it is better solved.

#10

What makes you think it did not happen?

bor@10:~> gpg2 --show-key /var/cache/zypp/raw/repo-oss/repodata/repomd.xml.key 
pub   rsa2048 2008-11-07 [SC] [expires: 2024-05-02]
      22C07BA534178CD02EFE22AAB88B2FD43DBDC284
uid                      openSUSE Project Signing Key <opensuse@opensuse.org>


bor@10:~> rpm -qi gpg-pubkey-39db7c82-5f68629b | gpg --show-key

pub   rsa2048 2013-01-31 [SC] [expires: 2024-09-20]
      FEAB502539D846DB2C0961CA70AF9E8139DB7C82
uid                      SuSE Package Signing Key <build@suse.de>


bor@10:~>

Can you show any example of anything on Leap 15.4 signed by this expired key?

Can someone provide some input as to whether I should be concerned with the expired key?

You may want to review Installation / verification should not pass if the (sub)key(s) has been revoked or expired which provides a lot of input regarding RPM key management. Or you better start with explaining your actual concerns.

#11

To elaborate. RPM signature allows checking the package origin, verifying package file before installation and verifying package metadata (header) in RPM database after installation. None of these is going away after key expiration dare. So what are your concerns?