Key: E3A5C360307E3D54
Name: SuSe Package Signing Key <build@suse.de>
Created: 03/15/2018
Expires: 03/14/2022 (The key is expired)
If I delete the key from yast2 and do a zypper ref the key gets readded as part of the non-oss repo
Is there any concerns with having this expired key? Any idea when a new one will be issued?
Not a big risk to me to trust such an expired key.
I have repo-non-oss enabled in Tumbleweed and did just an update and did not see an warning on this.
> sudo zypper lr repo-non-oss
Alias : download.opensuse.org-non-oss
Name : repo-non-oss
URI : http://download.opensuse.org/tumbleweed/repo/non-oss/
Enabled : Yes
GPG Check : (r ) Yes
Priority : 99 (default priority)
Autorefresh : On
Keep Packages : Off
Type : rpm-md
GPG Key URI :
Path Prefix : /
Parent Service :
Keywords : [4]
gpg-pubkey-29b700a4-62b07e22.asc?fpr=AD485664E901B867051AB15F35A2F86E29B700A4
gpg-pubkey-39db7c82-5f68629b.asc?fpr=FEAB502539D846DB2C0961CA70AF9E8139DB7C82
gpg-pubkey-3dbdc284-53674dd4.asc?fpr=22C07BA534178CD02EFE22AAB88B2FD43DBDC284
pool
Repo Info Path : /etc/zypp/repos.d/download.opensuse.org-non-oss.repo
MD Cache Path : /var/cache/zypp/raw/download.opensuse.org-non-oss
I found list, export and remove RPM GPG keys and after adding patching the script ($linux is nowadays opensuse) I could dump the key:
Name : gpg-pubkey
Version : 29b700a4
Release : 62b07e22
Architecture: (none)
Install Date: Sat 03 Sep 2022 12:18:47 CEST
Group : Public Keys
Size : 0
License : pubkey
Signature : (none)
Source RPM : (none)
Build Date : Mon 20 Jun 2022 16:03:14 CEST
Build Host : localhost
Packager : openSUSE Project Signing Key <opensuse@opensuse.org>
Summary : openSUSE Project Signing Key <opensuse@opensuse.org> public key
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.17.1 (NSS-3)
mQINBGKwfiIBEADe9bKROWax5CI83KUly/ZRDtiCbiSnvWfBK1deAttV+qLTZ006
090eQCOlMtcjhNe641Ahi/SwMsBLNMNich7/ddgNDJ99H8Oen6mBze00Z0Nlg2HZ
VZibSFRYvg+tdivu83a1A1Z5U10Fovwc2awCVWs3i6/XrpXiKZP5/Pi3RV2K7VcG
rt+TUQ3ygiCh1FhKnBfIGS+UMhHwdLUAQ5cB+7eAgba5kSvlWKRymLzgAPVkB/NJ
uqjz+yPZ9LtJZXHYrjq9yaEy0J80Mn9uTmVggZqdTPWx5CnIWv7Y3fnWbkL/uhTR
uDmNfy7a0ULB3qjJXMAnjLE/Oi14UE28XfMtlEmEEeYhtlPlH7hvFDgirRHN6kss
BvOpT+UikqFhJ+IsarAqnnrEbD2nO7Jnt6wnYf9QWPnl93h2e0/qi4JqT9zw93zs
fDENY/yhTuqqvgN6dqaD2ABBNeQENII+VpqjzmnEl8TePPCOb+pELQ7uk6j4D0j7
slQjdns/wUHg8bGE3uMFcZFkokPv6Cw6Aby1ijqBe+qYB9ay7nki44OoOsJvirxv
p00MRgsm+C8he+B8QDZNBWYiPkhHZBFi5GQSUY04FimR2BpudV9rJqbKP0UezEpc
m3tmqLuIc9YCxqMt40tbQOUVSrtFcYlltJ/yTVxu3plUpwtJGQavCJM7RQARAQAB
tDRvcGVuU1VTRSBQcm9qZWN0IFNpZ25pbmcgS2V5IDxvcGVuc3VzZUBvcGVuc3Vz
ZS5vcmc+iQI+BBMBAgAoBQJisH4iAhsDBQkHhM4ABgsJCAcDAgYVCAIJCgsEFgID
AQIeAQIXgAAKCRA1ovhuKbcApKRrEACJMhZhsPJBOkYmANvH5mqlk27brA3IZoM4
8qTzERebzKa0ZH1fgRI/3DhrfBYL0M5XOb3+26Ize0pujyJQs61Nlo1ibtQqCoyu
dvP/pmY1/Vr374wlMFBuCfAjdad4YXkbe7q7GGjo6cF89qtBfTqEtaRrfDgtPLx/
s9/WXLGo0XYqCCSPVoU66jQYNcCt3pH+hqytvntXJDhU+DveOnQCOSBBHhCMST3E
QvriN/GnHf+sO19UmPpyHH0TM5Ru4vDrgzKYKT/CzbllfaJSk9cEuTY8Sv1sP/7B
Z7YvOE0soIgM1sVg0u3R/2ROx0MKoLcq7EtLw64eE+wnw9bHYZQNmS+J/18p7Bo8
I7e+8WRi+m/pus5FEWsIH1uhxKLgJGFDTHHGZtW+myjnUzXVIkpJGrKoolzYjHdK
lRYM2fVuNI1eq6CZ6PFXg2UxovVczSnGMO33HZE09vpgkRDBrw1vF0o/Wnm02kig
V6xYHk5wJx8vL74wPvCbw73UNT9OSdxYAz7JPqGOD6cpKe7XcAH2sYmlGpggAIUz
Rq/lROEF5lx4SxB838JU4ezxD++BJXfBTE8JZmlGscXv74y9nCtSOZza8KOKj8ou
WRl739FMnx9jRd7HHj3TIyymoveODnZ7f3IElyyFsjBW3XuQ9XfpZrIkwHuaZV5M
6q2h+hgWNQ==
=nMh8
-----END PGP PUBLIC KEY BLOCK-----
Distribution: (none)
I do not see a expatriation date…
The expired key is not listed in the output of the command, hence why I don’t think you get a warning, doing the same command as yours in Leap 15.4 does listed the expired key as
gpg-pubkey-307e3d54-5aaa90a5.asc?fpr=4E98E67519D98DC7362A5990E3A5C360307E3D54
bor@10:~> rpm -qi gpg-pubkey-307e3d54-5aaa90a5 | gpg --show-key
pub rsa1024 2006-03-21 [SC] [expired: 2022-03-14]
4E98E67519D98DC7362A5990E3A5C360307E3D54
uid SuSE Package Signing Key <build@suse.de>
bor@10:~>
I think the reason why you don’t get a warning is because your output doesn’t list the expired key, if I do the same command my output does list the expired key
zypper lr repo-non-oss
Alias : repo-non-oss
Name : Non-OSS Repository
URI : http://download.opensuse.org/distribution/leap/15.4/repo/non-oss/
Enabled : Yes
GPG Check : (r) Yes
Priority : 99 (default priority)
Autorefresh : On
Keep Packages : Off
Type : rpm-md
GPG Key URI :
Path Prefix :
Parent Service :
Keywords : [5]
gpg-pubkey-307e3d54-5aaa90a5.asc?fpr=4E98E67519D98DC7362A5990E3A5C360307E3D54
If I delete the key through yast2 and then do the following commands the key will get re added, in the output below you can see the expiration date. The expired date can also be seen in yast2 when you select an individual GPG key
zypper clean --all
zypper ref
Retrieving repository 'Update repository of openSUSE Backports' metadata ....................................................................................................................................[done]
Building repository 'Update repository of openSUSE Backports' cache .........................................................................................................................................[done]
Retrieving repository 'Non-OSS Repository' metadata -------------------------------------------------------------------------------------------------------------------------------------------------------------]
Note: Received 1 new package signing key from repository Non-OSS Repository:
Those additional keys are usually used to sign packages shipped by the repository. In order to
validate those packages upon download and installation the new keys will be imported into the rpm
database.
New:
Key Fingerprint: 4E98 E675 19D9 8DC7 362A 5990 E3A5 C360 307E 3D54
Key Name: SuSE Package Signing Key <build@suse.de>
Key Algorithm: RSA 1024
Key Created: Thu 15 Mar 2018 09:26:29 AM MDT
Key Expires: Mon 14 Mar 2022 09:26:29 AM MDT (EXPIRED)
Rpm Name: gpg-pubkey-307e3d54-5aaa90a5
The repository metadata introducing the new keys have been signed and validated by the trusted
key:
Repository: Non-OSS Repository
Key Fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
Key Name: openSUSE Project Signing Key <opensuse@opensuse.org>
Key Algorithm: RSA 2048
Key Created: Mon 05 May 2014 02:37:40 AM MDT
Key Expires: Thu 02 May 2024 02:37:40 AM MDT
Rpm Name: gpg-pubkey-3dbdc284-53674dd4
Can someone provide some input as to whether I should be concerned with the expired key? Any idea when a new key will be generated?
zypper clean will delete information and refresh will restore it:
erlangen:~ #** zypper clean --all --repo non-oss **
Specified repositories have been cleaned up.
erlangen:~ # **zypper repos non-oss**
Alias : non-oss
Name : Haupt-Repository (NON-OSS)
URI : https://mirrorcache-eu.opensuse.org/tumbleweed/repo/non-oss/
Enabled : Yes
GPG Check : ( p) Yes
Priority : 99 (default priority)
Autorefresh : On
Keep Packages : On
Type : NONE
GPG Key URI :
Path Prefix : /
Parent Service :
**Keywords : ---
**Repo Info Path : /etc/zypp/repos.d/download.opensuse.org-non-oss.repo
MD Cache Path : /var/cache/zypp/raw/non-oss
erlangen:~ # **zypper refresh --repo non-oss**
Retrieving repository 'Haupt-Repository (NON-OSS)' metadata ............................................................................................................................................................................[done]
Building repository 'Haupt-Repository (NON-OSS)' cache .................................................................................................................................................................................[done]
Specified repositories have been refreshed.
erlangen:~ # **zypper repos non-oss**
Alias : non-oss
Name : Haupt-Repository (NON-OSS)
URI : https://mirrorcache-eu.opensuse.org/tumbleweed/repo/non-oss/
Enabled : Yes
GPG Check : (r ) Yes
Priority : 99 (default priority)
Autorefresh : On
Keep Packages : On
Type : rpm-md
GPG Key URI :
Path Prefix : /
Parent Service :
**Keywords : [4]
gpg-pubkey-29b700a4-62b07e22.asc?fpr=AD485664E901B867051AB15F35A2F86E29B700A4
gpg-pubkey-39db7c82-5f68629b.asc?fpr=FEAB502539D846DB2C0961CA70AF9E8139DB7C82
gpg-pubkey-3dbdc284-53674dd4.asc?fpr=22C07BA534178CD02EFE22AAB88B2FD43DBDC284
pool
**Repo Info Path : /etc/zypp/repos.d/download.opensuse.org-non-oss.repo
MD Cache Path : /var/cache/zypp/raw/non-oss
erlangen:~ #
Thanks for the details, I tried Yast and I saw 4 keys that are expired:
Key: 27C070176F88BB2F
- Name: KDE OBS Project <KDE@build.opensuse.org>
- Finger Print: 4E8E6DE2961F3083EAC5008627C070176F88BB2F
- Created: 2019-01-02
- Expires: 2021-03-12 (The key is expired.)
Key: 69D1B2AAEE3D166A
- Name: security OBS Project <security@build.opensuse.org>
- Finger Print: AAF3EB044C49C402A9E7B9AE69D1B2AAEE3D166A
- Created: 2018-11-03
- Expires: 2021-01-11 (The key is expired.)
Key: 70AF9E8139DB7C82
- Name: SuSE Package Signing Key <build@suse.de>
- Finger Print: FEAB502539D846DB2C0961CA70AF9E8139DB7C82
- Created: 2016-12-07
- Expires: 2020-12-06 (The key is expired.)
Key: 9C214D4065176565
- Name: openSUSE:Backports OBS Project <openSUSE:Backports@build.opensuse.org>
- Finger Print: 637B32FF3D83F07A7AE1C40A9C214D4065176565
- Created: 2019-10-02
- Expires: 2021-12-10 (The key is expired.)
The remainder of the keys is not expired
I did delete these key using Yast and did run “sudo zypper ref”, that runs fine without additional messages about keys but after that the last key in the list above (openSUSE:Backports OBS Project) I silently added again.
Tried that and “sudo zypper ref” and that once more runs fine without additional messages about keys but after that the last key.
Then tried “sudo zypper clean --all” and then zypper ref is triggering:
[FONT=monospace]Retrieving repository 'repo-non-oss' metadata ----------------------------------------------------------------------------------------------------------------------------------------------------------------------/]
Note: Received 1 new package signing key from repository "repo-non-oss":
Those additional keys are usually used to sign packages shipped by the repository. In order to
validate those packages upon download and installation the new keys will be imported into the rpm
database.
New:
Key Fingerprint: FEAB 5025 39D8 46DB 2C09 61CA 70AF 9E81 39DB 7C82
Key Name: SuSE Package Signing Key <build@suse.de>
Key Algorithm: RSA 2048
Key Created: Mon 21 Sep 2020 10:21:47 CEST
Key Expires: Fri 20 Sep 2024 10:21:47 CEST
Rpm Name: gpg-pubkey-39db7c82-5f68629b
The repository metadata introducing the new keys have been signed and validated by the trusted
key:
Repository: repo-non-oss
Key Fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
Key Name: openSUSE Project Signing Key <opensuse@opensuse.org>
Key Algorithm: RSA 2048
Key Created: Mon 05 May 2014 10:37:40 CEST
Key Expires: Thu 02 May 2024 10:37:40 CEST
Rpm Name: gpg-pubkey-3dbdc284-53674dd4[/FONT]
So for me the repo-non-oss seems to be signed with the openSUSE Project Signing Key and that expires May 2024
I still have one expired key named openSUSE:Backports OBS Project but that does not trigger any warnings, not sure that makes sense to me.
Like I said, I would not worry too much about these expired keys, they are a way to make sure zypper is connecting with a computer that has the same key, did you ever verify one of these keys (using the fingerprint) against another source before trusting them? If not, it is not logical to start worrying now. Still if there is an actual problem, it is better solved.
What makes you think it did not happen?
bor@10:~> gpg2 --show-key /var/cache/zypp/raw/repo-oss/repodata/repomd.xml.key
pub rsa2048 2008-11-07 [SC] [expires: 2024-05-02]
22C07BA534178CD02EFE22AAB88B2FD43DBDC284
uid openSUSE Project Signing Key <opensuse@opensuse.org>
bor@10:~> rpm -qi gpg-pubkey-39db7c82-5f68629b | gpg --show-key
pub rsa2048 2013-01-31 [SC] [expires: 2024-09-20]
FEAB502539D846DB2C0961CA70AF9E8139DB7C82
uid SuSE Package Signing Key <build@suse.de>
bor@10:~>
Can you show any example of anything on Leap 15.4 signed by this expired key?
Can someone provide some input as to whether I should be concerned with the expired key?
You may want to review Installation / verification should not pass if the (sub)key(s) has been revoked or expired which provides a lot of input regarding RPM key management. Or you better start with explaining your actual concerns.
To elaborate. RPM signature allows checking the package origin, verifying package file before installation and verifying package metadata (header) in RPM database after installation. None of these is going away after key expiration dare. So what are your concerns?