Found a strange gpg-pubkey

I can’t remember which distro upgrade it was (either 15.2 to 15.3 or 15.3 to 15.4) but I do remember encountering messages about packages getting downgraded or being told that some cannot be installed. Browsed through the forum and found this old post which said it may have something to do with the merger of SLE and Leap. Because I was in a hurry back then, I just hit Yes to proceed and defer asking about those.

Now the time to defer has arrived and I got curious if I have a properly patched Leap box or if I have been using a hodgepodge for the longest time. So I did:

u@localhost:~> zypper lifecycle

Product end of support                                  
Codestream: openSUSE Leap 15                            2024-11-30
    Product: openSUSE Leap 15.4                         2023-11-30

Package end of support if different from product:
audit                                    Now, installed <versionNumber>, update available <anotherVersionNumber>
...
[more items listed but redacted for brevity]

I couldn’t tell in and by itself what that meant, so I went back through my handwritten notes whenever I do distro upgrades, and two things caught my eyes.

The first one is verifying the repos. So I checked what I currently have and got this:

u@localhost:~> zypper repos -u
Repository priorities are without effect. All enabled repositories share the same priority.

#  | Alias                         | Name                                                                                        | Enabled | GPG Check | Refresh | URI
---+-------------------------------+---------------------------------------------------------------------------------------------+---------+-----------+---------+-------------------------------------------------------------------------------------
 1 | openSUSE-Leap-${releasever}-1 | openSUSE-Leap-15.4-1                                                                        | No      | ----      | ----    | hd:/?device=/dev/disk/by-id/usb-SanDisk_Ultra_USB_3.0_4C530000050105103550-0:0-part2
 2 | repo-backports-debug-update   | Update repository with updates for openSUSE Leap debuginfo packages from openSUSE Backports | No      | ----      | ----    | http://download.opensuse.org/update/leap/15.4/backports_debug/
 3 | repo-backports-update         | Update repository of openSUSE Backports                                                     | Yes     | (r ) Yes  | Yes     | http://download.opensuse.org/update/leap/15.4/backports/
 4 | repo-debug                    | Debug Repository                                                                            | No      | ----      | ----    | http://download.opensuse.org/debug/distribution/leap/15.4/repo/oss/
 5 | repo-debug-non-oss            | Debug Repository (Non-OSS)                                                                  | No      | ----      | ----    | http://download.opensuse.org/debug/distribution/leap/15.4/repo/non-oss/
 6 | repo-debug-update             | Update Repository (Debug)                                                                   | No      | ----      | ----    | http://download.opensuse.org/debug/update/leap/15.4/oss/
 7 | repo-debug-update-non-oss     | Update Repository (Debug, Non-OSS)                                                          | No      | ----      | ----    | http://download.opensuse.org/debug/update/leap/15.4/non-oss/
 8 | repo-non-oss                  | Non-OSS Repository                                                                          | Yes     | (r ) Yes  | Yes     | http://download.opensuse.org/distribution/leap/15.4/repo/non-oss/
 9 | repo-oss                      | Main Repository                                                                             | Yes     | (r ) Yes  | Yes     | http://download.opensuse.org/distribution/leap/15.4/repo/oss/
10 | repo-sle-debug-update         | Update repository with debuginfo for updates from SUSE Linux Enterprise 15                  | No      | ----      | ----    | http://download.opensuse.org/debug/update/leap/15.4/sle/
11 | repo-sle-update               | Update repository with updates from SUSE Linux Enterprise 15                                | Yes     | (r ) Yes  | Yes     | http://download.opensuse.org/update/leap/15.4/sle/
12 | repo-source                   | Source Repository                                                                           | No      | ----      | ----    | http://download.opensuse.org/source/distribution/leap/15.4/repo/oss/
13 | repo-source-non-oss           | Source Repository (Non-OSS)                                                                 | No      | ----      | ----    | http://download.opensuse.org/source/distribution/leap/15.4/repo/non-oss/
14 | repo-update                   | Main Update Repository                                                                      | Yes     | (r ) Yes  | Yes     | http://download.opensuse.org/update/leap/15.4/oss
15 | repo-update-non-oss           | Update Repository (Non-Oss)                                                                 | Yes     | (r ) Yes  | Yes     | http://download.opensuse.org/update/leap/15.4/non-oss/

Looks normal, but I’m not yet at a “seasoned user” level so I’m not quite sure. Then I checked out the second thing which caught my eyes:

rpm -qa gpg-pubkey

So I decided to look into that and this is what I got:

u@localhost:~> rpm -qa gpg-pubkey
gpg-pubkey-25db7ae0-645bae34
gpg-pubkey-307e3d54-5aaa90a5
gpg-pubkey-29b700a4-62b07e22
gpg-pubkey-3fa1d6ce-63c9481c
gpg-pubkey-39db7c82-5f68629b
gpg-pubkey-3dbdc284-53674dd4
gpg-pubkey-65176565-61a0ee8f

Now I combed through the .asc files in download.opensuse.org and checked these out when I noticed something. Of all the keys listed in the terminal output above:

  1. gpg-pubkey-3fa1d6ce-63c9481c is not listed anywere

  2. gpg-pubkey-39db7c82-5f68629b is a key under Tumbleweed (and I’m using Leap!)

So now I’m not sure what this means. How come I have GPG keys for Tumbleweed when I’m running Leap, and where did the GPG key listed in number 1 above come from?

I’m starting to think something is very wrong with my Leap box. Please help.

Your repo list looks OK to me. But you could remove #1. It is your installation medium and you do not need it anymore. Also it has a strange Alias (someone replaced 15.4 with ${releasever} and that is a strange place to do so) and when you remove the repo, that little “stain” will also be removed.

rpm -qi gpg-xxx gives more info.

Although the Enabled column says No, I suppose there’s no harm in removing it. I don’t have that medium anymore anyway.

I went back to my hand-written notes and found something back when I was upgrading from Leap 15.2 to 15.3. The instructions included running this command:

sudo sed -i 's/15.2/${releasever}/g' /etc/zypp/repos.d/*.repo

Do you think this is the culprit @hcvv ?

No, certainly not. You asked if your list looks OK. I said “you could …”. Just to have a clean list. You say yourself you do not have that medium anymore, thus why keep the entry?

And that entry probably is from before 15.4, so the more reason to remove it. You could have done this already after your 15.2 installation was a few months old. And then it would not have become subject of the change to ${releasever} at all.

The change from the hard code version number (in your case 15.2) to ${releasever} is only applicable to the URLs. Having it in an Alias (or a Name) is only confusing for those who read it.

@markLopez9:

Replying to Henk’s post –

You can also remove the entries for “repo-source” and “repo-source-non-oss” – for Leap 15.4 and later, as far as Zypper and YaST are concerned, they’re empty but, with direct access from a Web-Browser you can still download the source packages if you wish.
<http://download.opensuse.org/source/distribution/leap/15.4/repo/>

So I tried that @arvidjaar and this is what came back:

Distribution: (none)
Name        : gpg-pubkey
Version     : 39db7c82
Release     : 5f68629b
Architecture: (none)
Install Date: Sat 28 Aug 2021 04:12:21 AM PST
Group       : Public Keys
Size        : 0
License     : pubkey
Signature   : (none)
Source RPM  : (none)
Build Date  : Mon 21 Sep 2020 04:21:47 PM PST
Build Host  : localhost
Relocations : (not relocatable)
Packager    : SuSE Package Signing Key <build@suse.de>
Summary     : gpg(SuSE Package Signing Key <build@suse.de>)
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.14.1 (NSS-3)
Distribution: (none)
Name        : gpg-pubkey
Version     : 3fa1d6ce
Release     : 63c9481c
Architecture: (none)
Install Date: Sat 15 Jul 2023 09:45:34 PM PST
Group       : Public Keys
Size        : 0
License     : pubkey
Signature   : (none)
Source RPM  : (none)
Build Date  : Thu 19 Jan 2023 09:39:40 PM PST
Build Host  : localhost
Relocations : (not relocatable)
Packager    : SUSE Package Signing Key <build@suse.de>
Summary     : gpg(SUSE Package Signing Key <build@suse.de>)
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.14.3 (NSS-3)

I’m still not sure what this means, but the first one looks rather old based on the install date. The second one on the other hand was rather recently. Although it falls on a Saturday which is when I usually do my patching operations.

I always do zypper dist-upgrade instead of just update though. Does that make a difference?

Why? Where did you get that information from?

Thanks @dcurtisfra I’ll take note of that

I didn’t realize it was still there until today.

Anyway, duly noted on your inputs on what should not be there anymore. Thank you.

Please take note of this SDB: https://en.opensuse.org/SDB:System_upgrade

  • It’s actual.
  • It’s accurate.
  • Do something else at your own risk …

It’s listed as part of an update among others for Leap 15.4: Recommended update for suse-build-key | SUSE Support | SUSE

As you already identified it as a legit key, there is no need to worry.

As long as it’s a public key provided by openSUSE/SUSE or whatever maintainer you are using packages from it does no harm to have a key for tumbleweed even if you currently are not using any tumbleweed repo.

During my first weeks of trying out Linux for the first time, I read the man page for zypper and it just felt like it was a more complete way to keep my box up-to-date than just the update option. After that, it’s been muscle memory to me.

However, if that’s the wrong way of doing things, do let me know so I can correct myself going forward.

Open up the graphical YaST interface → choose “Software Repositories” → bottom right: choose “GPG Keys”.

  • Walk the list of installed keys – you may find that some of them have expired.
    Delete the expired keys.

Quit the Repository Management part of YaST.

Open a “root” Konsole window –

# zypper refresh --force

Take note of the new keys which the forcible Zypper refresh pulled in.

Open up the YaST Repository Management again and, walk through the list or repository keys once again.


You’re on Leap 15.4 –

  • That may well mean that, a couple of the keys have expired.
    Don’t worry too much – they’re still valid.

When you upgrade to Leap 15.5, the expired keys issue should disappear …

I’m not quite sure what I should be looking at in there. Help me out, yes?

When you are updating your system, you are just doing that. The distribution upgrade is for doing just that: upgrade you complete distribution (and that is what Tumbleweed does all the time, but what Leap only does when going to the next version).

And you use zypper dup for e.g. switching packages to another vendor (like the famous Packman switch). And in this case, you only do it to switch. You do not do it on a regular base because then an unwanted switching back may be the result.
But you do not have any repos like Packman, thus that is not the case and your zypper dups maybe harmless until now.

Thanks @404_UsernameNotFound for pointing me to that resource and the additional insight. Gives me some peace of mind.

Thanks @dcurtisfra . I’ll go through those steps you mentioned to get these keys sorted out.

At the very least, you should read how to perform the upgrade from Leap 15.4 to Leap 15.5.
<https://en.opensuse.org/SDB:System_upgrade#Performing_the_upgrade>


Everything preceding that section are the instructions for everything that you have to do BEFORE executing the upgrade …

I’ve seen some threads about people getting confused on why they are being prompted about downgrades and all, and packman was mentioned apart from having other repos. I only stick to the official repos. The only box I have with a third-party repo is my Ubuntu box which hosts my GNS3 installation.

Thank you for clarifying that @hcvv . I’ll work on erasing that muscle memory and align myself with appropriate practice for Leap.