General Question about repositorys deletion and the signing key

Hello Everyone,
excuse me if the question I ask may seem a bit dumb but I could not find the info I am searching for on other posts or the wiki and therefore dare open a thread to ask it.

I am on a fresh install on Leap 15.6 and wanted to add the unofficial codecs to play some video files.

I added them ass followed:

sudo zypper ar -cfp 90 'https://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Tumbleweed/Essentials/' packman-essentials

sudo zypper refresh

sudo zypper dup --from packman-essentials --allow-vendor-change

I then noticed that something was wrong (of course I added the wrong - Tumbleweed -repository :person_facepalming:) so I interrupted the process because it was going to delete a lot of really important packages.

So I did:
zypper lr -d
and then
sudo zypper rr 'https://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Tumbleweed/Essentials/' packman-essentials

To remove it.

I then proceeded to add the right repository and install the needed codecs. Now my question is the following. I did temporarily accept the signing key of the Tumbleweed packman repo.

Does this key get automatically deleted when I delete the repository, or do I have to remove it manually from a file?

The signing key is the same…

1 Like

Thank you!

And if it (hypothetically) wasn’t, would it be deleted with the repository deletion or would I have to delete it manually?

I am really sorry if that question is obvious for you. In Debian i believe I had to delete it manually, and I am still in the learning process for these basics.

You need to delete the signing key manually.

1 Like

When you decide to “trust temporarily”, this key is not stored anywhere, it is only valid for this zypper invocation. It also means that packages in this repository will be signed by unknown key.

10:~ # rpm -qa gpg-pubkey\* | sort > /tmp/keys.1
10:~ # zypper ar -cfp 90 'https://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Tumbleweed/Essentials/' packman-essentials
Adding repository 'packman-essentials' ...................................[done]
Repository 'packman-essentials' successfully added

URI         : https://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Tumbleweed/Essentials/
Enabled     : Yes
GPG Check   : Yes
Autorefresh : Yes
Priority    : 90 (raised priority)

Repository priorities in effect:                (See 'zypper lr -P' for details)
      90 (raised priority)  :  1 repository
      99 (default priority) :  6 repositories
10:~ # zypper refresh packman-essentials

New repository or package signing key received:

  Repository:       packman-essentials
  Key Fingerprint:  F887 5B88 0D51 8B6B 8C53 0D13 45A1 D067 1ABD 1AFB
  Key Name:         PackMan Project (signing key) <packman@links2linux.de>
  Key Algorithm:    RSA 4096
  Key Created:      Tue Jan  9 00:26:14 2024
  Key Expires:      Fri Sep 13 01:17:21 2024 (expires in 89 days)
  Rpm Name:         gpg-pubkey-1abd1afb-659c6876



    Note: Signing data enables the recipient to verify that no modifications
    occurred after the data were signed. Accepting data with no, wrong or
    unknown signature can lead to a corrupted system and in extreme cases even
    to a system compromise.

    Note: A GPG pubkey is clearly identified by its fingerprint. Do not rely on
    the key's name. If you are not sure whether the presented key is authentic,
    ask the repository provider or check their web site. Many providers maintain
    a web page showing the fingerprints of the GPG keys they are using.

Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r): t
Retrieving repository 'packman-essentials' metadata ......................[done]
Building repository 'packman-essentials' cache ...........................[done]
Specified repositories have been refreshed.
10:~ # rpm -qa gpg-pubkey\* | sort > /tmp/keys.2
10:~ # diff -up /tmp/keys.*

So no keys were stored permanently. And if you now install packages from this repository:

10:~ # zypper in -r packman-essentials vlc
...
The following NEW package is going to be installed:
  vlc

1 new package to install.
Overall download size: 684.3 KiB. Already cached: 0 B. After the operation,
additional 1.7 MiB will be used.

Backend:  classic_rpmtrans
Continue? [y/n/v/...? shows all options] (y): 
Retrieving: vlc-3.0.20-1699.11.pm.19.x86_64 (packman-essentials)
                                                            (1/1), 684.3 KiB    
Retrieving: vlc-3.0.20-1699.11.pm.19.x86_64.rpm ............[done (559.6 KiB/s)]

Checking for file conflicts: .............................................[done]
warning: /var/cache/zypp/packages/packman-essentials/x86_64/vlc-3.0.20-1699.11.pm.19.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 1abd1afb: NOKEY

And if you remove this repository and re-add it again you will get exactly the same question about trusting repository key.

10:~ # zypper rr packman-essentials
Removing repository 'packman-essentials' .................................[done]
Removing repository 'packman-essentials' .................................[done]
Repository 'packman-essentials' has been removed.
10:~ # zypper ar -cfp 90 'https://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Tumbleweed/Essentials/' packman-essentials
Adding repository 'packman-essentials' ...................................[done]
Repository 'packman-essentials' successfully added

URI         : https://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Tumbleweed/Essentials/
Enabled     : Yes
GPG Check   : Yes
Autorefresh : Yes
Priority    : 90 (raised priority)

Repository priorities in effect:                (See 'zypper lr -P' for details)
      90 (raised priority)  :  1 repository
      99 (default priority) :  6 repositories
10:~ # zypper refresh packman-essentials

New repository or package signing key received:

  Repository:       packman-essentials
  Key Fingerprint:  F887 5B88 0D51 8B6B 8C53 0D13 45A1 D067 1ABD 1AFB
  Key Name:         PackMan Project (signing key) <packman@links2linux.de>
  Key Algorithm:    RSA 4096
  Key Created:      Tue Jan  9 00:26:14 2024
  Key Expires:      Fri Sep 13 01:17:21 2024 (expires in 89 days)
  Rpm Name:         gpg-pubkey-1abd1afb-659c6876



    Note: Signing data enables the recipient to verify that no modifications
    occurred after the data were signed. Accepting data with no, wrong or
    unknown signature can lead to a corrupted system and in extreme cases even
    to a system compromise.

    Note: A GPG pubkey is clearly identified by its fingerprint. Do not rely on
    the key's name. If you are not sure whether the presented key is authentic,
    ask the repository provider or check their web site. Many providers maintain
    a web page showing the fingerprints of the GPG keys they are using.

Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r): r
1 Like

Oh, I did not new this. Thank you!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.