Google Chrome Update Key Validation Error


I have been using OpenSUSE Leap for two years now, starting with 42.1 and upgrading to 42.2 early in 2017. I installed, and have been using and regularly updating, Google’s Chrome browser from my early Leap days. Recently I started to receive an error when trying to refresh the repository:

randy@linux-ui76:~> sudo zypper ref 
Repository 'Packman Repository' is up to date.                                                                                           
Retrieving repository 'google-chrome' metadata --------------------------------------------------------------------------------------\] 
**File 'repomd.xml' from repository 'google-chrome' is signed with an unknown key '1397BC53640DB551'. Continue? [yes/no] (no): **
Retrieving repository 'google-chrome' metadata ..................................................................................[error] 
Repository 'google-chrome' is invalid.
[google-chrome|] Valid metadata not found at specified URL
Please check if the URIs defined for this repository are pointing to a valid repository. 
Skipping repository 'google-chrome' because of the above error.
Repository 'Opera packages' is up to date.                                                                                               
Repository 'openSUSE-Leap-42.2-Non-Oss' is up to date.                                                                                   
Repository 'openSUSE-Leap-42.2-Oss' is up to date.                                                                                       
Repository 'openSUSE-Leap-42.2-Update' is up to date.                                                                                    
Repository 'openSUSE-Leap-42.2-Update-Non-Oss' is up to date.                                                                            
Some of the repositories have not been refreshed because of an error.

I tried manually downloading and importing the GPG key per Google’s instructions using:

sudo rpm --import

but I still get the error, which concerns me because Google doesn’t seem to have the valid key on their web site.

Is anyone else having this problem? Is it safe to answer “yes” to the warning to update the key that way?

Thank you for your help,

This is a very old and occasional event. I ignore it as stated as in a writeup here:

But if you want a thorough discussion, read this one:

Hi swerdna,

Thanks for your quick response. As you can see from my original post, I am not given the option to “ignore,” just to answer “yes” or “no” to refresh the Google Chrome repository. I believe that answering “no,” as I have been doing, does not give me Chrome updates, which I would like to have (I like the most recent versions of applications for security purposes.)

I was interested to see in the link you gave me that the other user was getting the same key code in his warning that I was getting. That makes me more comfortable answering “yes” to refresh the repository and get the updates.


I am getting this

File 'repomd.xml' from repository 'google-chrome' is signed with an unknown key '1397BC53640DB551'. Continue? [yes/no] (no):

I too have reimported google key … reinstalling chrome etc … and still when zypper up get the ‘unknown key’ alert!!!

i have answered ‘yes’ and this is what happens:

** #** zypper up
Retrieving repository 'google-chrome' metadata -----------------------------------------------------------------------------------------\]
**File 'repomd.xml' from repository 'google-chrome' is signed with an unknown key '1397BC53640DB551'. Continue? [yes/no] (no): **yes
Retrieving repository 'google-chrome' metadata ......................................................................................[done]
Building repository 'google-chrome' cache ...........................................................................................[done]
Loading repository data...
Reading installed packages...

The following item is locked and will not be changed by any action:

The following 32 package updates will NOT be installed:
  gstreamer-plugins-bad gstreamer-plugins-bad-lang k3b k3b-lang libavcodec57 libavfilter6 libavformat57 libavresample3 libavutil55
  libbzrtp0 libFLAC++6 libFLAC8 libgstadaptivedemux-1_0-0 libgstbadaudio-1_0-0 libgstbadbase-1_0-0 libgstbadvideo-1_0-0
  libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstgl-1_0-0 libgstmpegts-1_0-0 libgstphotography-1_0-0 libgsturidownloader-1_0-0
  libgstwayland-1_0-0 libmjpegutils-2_0-0 libpostproc54 libquicktime0 libsox3 libswresample2 libswscale4 mjpegtools sox vlc-codec-gstreamer

Nothing to do.

FYI - there is another post regarding same issue from a few days ago (with no satisfactory explanation nor solution)

Oops, sorry, I should have said “yes”.

Some folks are getting error messages concerning the
Google Chrome signing key.  On occasion Google updates
the signing key they use on their packages and repositories.
They last updated their signing key on 26 July 2017.
The Chrome 60 package and the Chrome repository files are
signed with this new key.

These are the steps I take to sync new Google keys with
the repository database.  Once done, there should no longer
be error messages concerning Google package or repository signing.

We will download the latest Chrome rpm, uninstall  your current Chrome,
remove the Chrome repository, delete the current (old) signing
key that was associated with the Chrome repository.

1) Download the latest Chrome from
   Click the Download Chrome button then select the 64 bit .rpm option.
   Save the Chrome rpm to your Downloads directory.
   The Chrome rpm should now exist as:
2) Use Yast / Software Management to uninstall Chrome
   (your settings and bookmarks will remain).
3) Use Yast / Software Repositories to delete the Chrome repository

4) Use Yast / Software Repositories GPG Keys button to delete
   the old Google signing key.
5) Logout/Login

Now we will download the new Google signing key, install the signing key,
install Chrome - letting the installer add the Chrome repository to our
list of repositories

6) Open a console (command prompt) and change to your Downloads directory
   where you saved the new Chrome rpm.  cd ~/Downloads

7)  Delete the file /etc/default/google-chrome
    The Chrome installers create this file the first time any version
    of chrome is installed.  This file informs all Chrome installers
    that the Chrome repository has already been added to your repository
    list. A Chrome installer will never add the Chrome repository
    again as long as this file exists, so delete it:
    sudo rm /etc/default/google-chrome
8) Now download the new signing key (8038 bytes, 26 July 2017):

9) Now install the new signing key:

   sudo rpm --import
10) Now install Chrome:

    sudo rpm -i google-chrome-stable_current_x86_64.rpm
11) Logout/Login

12) Now run Yast / Software Management.  It will warn that it cannot
    verify the Trust worthiness of the new Google signing Key, and
    ask if you wish to Trust it (use it) any way.  Yes, accept the
    new key.
There should no longer be any Google signig key issues - at least
until the next time Google issues a new key...

[xlis] could you supply a reference for the above text, or did you write this yourself?

I wrote the how-to text.

I’ve been using SuSE and openSUSE since v9.x

This is just defining the steps (some not mandatory, but cautious) for forcing
a signing key, the associated repository, and packages from that repository
to be in sync.

The how-to in Post #7 above should probably have a step 0 (zero) - install “lsb” 4.x (Linux Std Base v4.x).
Google Chrome requires that “lsb” 4.x be installed prior to installing Chrome.
It is not necessary to install “lsb” 5.x - 5x installs many things not needed by Chrome.

Use Yast / Software Management (search for “lsb”) to install “lsb” 4.x as step zero
of the how-to. If it is already installed, great.

Sorry for the omission…

Hi xlis,

Thanks for your detailed instructions on how to get the most current release of Chrome on OpenSUSE.

I have not been able to find any reference on the Internet that Google changed their key on July 26th, 2017, even on Google’s web site. Where did you find this information and how did you learn the location of the new signing key, that is different than Google provides in their instructions?

Given this age of information overload, there are some things I like to see for myself from trusted sources, especially when the source is a company as big as Google.


“Yes, this is because of the “subkey bug” mentioned in #6. We don’t really want to go back to the ancient (weaker) signing key, and this should really be fixed in zypper, since there’s no reason not to accept subkeys (as every other package manager seems to support).”

They’re using subkeys which is a problem with zypper and needs to get fixed by the SUSE dev team.

Hi xlis,

If I download and import the new key, will I get the latest version of Chrome via an update without having to uninstall and reinstall it manually?


Hi All,

I decided to answer “yes” to the “Continue?” question based on advice I got in this thread. This allowed the repository to refresh and then when I ran “zypper up” it downloaded and installed version 60 of Chrome, the previous version being 59. I also no longer get the key warning when I refresh the repositories, so everything seems to be fine.

My problem has been solved.

Thank you all for your contributions to this thread, you helped me immensely.


Hi there, I had these problems, uninstalled everything, reimported the key and re-installed Chrome and now everything fine EXCEPT I’ve lost the repo. A new version came out on 2nd August 2017 and I didn’t get the new version automatically.

The previous repo I believe is but this now gives a 404.

When I downloaded Chrome on the install page is maintains Note: Installing Google Chrome will add the Google repository so your system will automatically keep Google Chrome up to date.

This doesn’t appear to have happened, are others getting the same issue?


I’m running Leap 42.3

That’s strange. So I decided to see if I got that too. I looked in my repo and the address I have is
So I put that address in a browser and I got the 404 like you did.

But that repo still works. I know it works because I updated my Chrome browser today using that repo. So the link doesn’t work in the chrome browser but it does in the repo configuration.


Hi All,

Well, it worked for five days, then I started to get the warning again. The message has the same key code as my first post - “unknown key ‘1397BC53640DB551’” - so I answered “yes” again to the “continue?” prompt. I’ll see how long the Chrome repository refreshes work now and let you know.


Hi ajwillis,

I’m curious, did you download and reimport the key “” per xlis’ post or did you use “” as per Google’s instructions?



Well, four days later and I’ve gotten the warning again. Same key code. So answering “yes” to the “Continue?” prompt seems to work for a few days, then the warning appears again.
I would like to get rid of it permanently, so I will try xlis’ steps from post #7 in this thread. I will start by downloading and importing the key from the different source (see post #18) and if that doesn’t work, I will uninstall and reinstall Chrome.


It seems this problem is caused by the Suse Zypper package manager not recognising subkeys which this repository has recently started using. This is being tracked under which suggests a fix should be forthcoming soon.