How do I un-trust a repo?

When adding a new repo I am asked if I trust it but when I remove it and add it again I am not asked again. I suppose my trust vote is recorded somewhere. How can I also un-trust a certain repo when removing it?

Hi
You need to remove the gpg key from the rpm db;


rpm -q gpg-pubkey|sort

rpm -e --allmatches gpg-pubkey<some_key>

Trick is you need to know the key reference :wink:

Thanks.

Where do I get this from?

Hi
When you press the trust key… :wink:

Which repository are you talking about?

comes from the first command I think

Normally I don’t write them down :slight_smile: That’s why I ask here what is the procedure.

Which repository are you talking about?

Not any particular. Just learning.

Hi
OK, since they are public keys, I added the packman repo, but don’t know which one it is, so as my user I imported locally (not to be confused with adding to the rpm db as this is done as root and a different option);


rpm -q gpg-pubkey
gpg-pubkey-307e3d54-4be01a65
gpg-pubkey-3dbdc284-53674dd4
gpg-pubkey-1abd1afb-54176598

gpg2 --list-keys

gpg2 --recv-keys 3dbdc284
gpg: requesting key 3DBDC284 from hkp server keys.gnupg.net
gpg: key 3DBDC284: public key "openSUSE Project Signing Key <opensuse@opensuse.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

gpg2 --list-keys
/home/<username>/.gnupg/pubring.gpg
---------------------------------
pub   2048R/3DBDC284 2008-11-07 [expires: 2024-05-02]
uid        unknown] openSUSE Project Signing Key <opensuse@opensuse.org>

gpg2 --fingerprint
/home/<username>/.gnupg/pubring.gpg
---------------------------------
pub   2048R/3DBDC284 2008-11-07 [expires: 2024-05-02]
      Key fingerprint = 22C0 7BA5 3417 8CD0 2EFE  22AA B88B 2FD4 3DBD C284
uid        unknown] openSUSE Project Signing Key <opensuse@opensuse.org>

gpg2 --recv-keys 307e3d54
gpg: requesting key 307E3D54 from hkp server keys.gnupg.net
gpg: key 307E3D54: public key "SuSE Package Signing Key <build@suse.de>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

gpg2 --recv-keys 1abd1afb
gpg: requesting key 1ABD1AFB from hkp server keys.gnupg.net
gpg: key 1ABD1AFB: public key "PackMan Project (signing key) <packman@links2linux.de>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

So using the first number string after pubkey I can import all three.

So switch to root user;


rpm -q gpg-pubkey
gpg-pubkey-307e3d54-4be01a65
gpg-pubkey-3dbdc284-53674dd4
gpg-pubkey-1abd1afb-54176598

rpm -e gpg-pubkey-1abd1afb-54176598

rpm -q gpg-pubkey
gpg-pubkey-307e3d54-4be01a65
gpg-pubkey-3dbdc284-53674dd4

zypper ar -f http://ftp.fau.de/packman/suse/openSUSE_Leap_42.1/ Packman

Adding repository 'Packman' .....................................................................................................[done]
Repository 'Packman' successfully added
Enabled     : Yes                                               
Autorefresh : Yes                                               
GPG Check   : Yes                                               
URI         : http://ftp.fau.de/packman/suse/openSUSE_Leap_42.1/

zypper ref
Refreshing service 'spacewalk'.
Retrieving repository 'Packman' metadata -------------------------------------------------------------------------------------------\]

New repository or package signing key received:

  Repository:       Packman                                               
  Key Name:         PackMan Project (signing key) <packman@links2linux.de>
  Key Fingerprint:  F8875B88 0D518B6B 8C530D13 45A1D067 1ABD1AFB          
  Key Created:      Mon Sep 15 17:18:00 2014                              
  Key Expires:      Thu Sep 12 17:17:21 2024                              
  Rpm Name:         gpg-pubkey-1abd1afb-54176598                          


Do you want to reject the key, trust temporarily, or trust always? [r/t/a/? shows all options] (r): a
Retrieving repository 'Packman' metadata ........................................................................................[done]
Building repository 'Packman' cache .............................................................................................[done]
Repository 'openSUSE-42.1-Local' is up to date.                                                                                        
Repository 'openSUSE-Leap-42.1-Oss for x86_64' is up to date.                                                                          
Repository 'openSUSE-Leap-42.1-Pool for x86_64' is up to date.                                                                         
Retrieving repository 'openSUSE-Leap-42.1-Update-Oss for x86_64' metadata .......................................................[done]
Building repository 'openSUSE-Leap-42.1-Update-Oss for x86_64' cache ............................................................[done]
Repository 'susemanager-client-setup' is up to date.                                                                                   
All repositories have been refreshed.

rpm -q gpg-pubkey
gpg-pubkey-307e3d54-4be01a65
gpg-pubkey-3dbdc284-53674dd4
gpg-pubkey-1abd1afb-54176598

And there it is back in again… :wink:

Hm. It seems to work differently here:

# rpm -q gpg-pubkey
gpg-pubkey-307e3d54-4be01a65
gpg-pubkey-3dbdc284-53674dd4
gpg-pubkey-c66b6eae-4491871e
gpg-pubkey-1abd1afb-54176598
gpg-pubkey-7fac5991-4615767f
gpg-pubkey-b293a970-55754d7a
gpg-pubkey-6f88bb2f-54032bd3
gpg-pubkey-23312922-5391f53b
gpg-pubkey-093bfba2-55db2beb
gpg-pubkey-3a802234-537d14c8
gpg-pubkey-e1bf12f6-52f8dd5c
gpg-pubkey-725a0c43-54944ee4
gpg-pubkey-d16935c7-56586575
gpg-pubkey-af72fe69-545a25c3
# gpg2 --list-keys
/home/<username>/.gnupg/pubring.gpg
-------------------------------
*(shows info about my GPG key which I use with KWallet)*


# gpg2 --recv-keys af72fe69
gpg: requesting key AF72FE69 from hkp server keys.gnupg.net
gpgkeys: key AF72FE69 not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0



Hi
And this process indicates how to import a local key;


gpg2 --list-keys
/home/<username>/.gnupg/pubring.gpg
---------------------------------
pub   2048R/3DBDC284 2008-11-07 [expires: 2024-05-02]
uid        unknown] openSUSE Project Signing Key <opensuse@opensuse.org>

pub   1024R/307E3D54 2006-03-21 [expires: 2018-03-17]
uid        unknown] SuSE Package Signing Key <build@suse.de>

pub   4096R/1ABD1AFB 2006-09-18 [expires: 2024-09-12]
uid        unknown] PackMan Project (signing key) <packman@links2linux.de>

gpg2 --output 1ABD1AFB.gpg --armor --export 1ABD1AFB
ls 1A*
1ABD1AFB.gpg

{switch to root user}
su -

rpm -q gpg-pubkey
gpg-pubkey-307e3d54-4be01a65
gpg-pubkey-3dbdc284-53674dd4
gpg-pubkey-1abd1afb-54176598

rpm -e gpg-pubkey-1abd1afb-54176598

zypper lr
Refreshing service 'spacewalk'.
# | Alias                                   | Name                                     | Enabled | GPG Check | Refresh
--+-----------------------------------------+------------------------------------------+---------+-----------+--------
1 | Packman                                 | Packman                                  | Yes     | (r ) Yes  | Yes    
2 | openSUSE-42.1-0                         | openSUSE-42.1-0                          | No      | ----      | No     
3 | spacewalk:opensuse-leap-42.1-local      | openSUSE-42.1-Local                      | Yes     | (  ) No   | Yes    
4 | spacewalk:opensuse-leap-42.1-oss        | openSUSE-Leap-42.1-Oss for x86_64        | Yes     | (  ) No   | Yes    
5 | spacewalk:opensuse-leap-42.1-pool       | openSUSE-Leap-42.1-Pool for x86_64       | Yes     | (  ) No   | Yes    
6 | spacewalk:opensuse-leap-42.1-update-oss | openSUSE-Leap-42.1-Update-Oss for x86_64 | Yes     | (  ) No   | Yes    
7 | susemanager-client-setup                | susemanager-client-setup                 | Yes     | (  ) No   | Yes    

zypper rr 1
Removing repository 'Packman' ...................................................................................................[done]
Repository 'Packman' has been removed.

# rpm -q gpg-pubkey
gpg-pubkey-307e3d54-4be01a65
gpg-pubkey-3dbdc284-53674dd4

rpm --import /home/<username>/1ABD1AFB.gpg

rpm --import /home/<username>/1ABD1AFB.gpg

rpm -q gpg-pubkey
gpg-pubkey-307e3d54-4be01a65
gpg-pubkey-3dbdc284-53674dd4
gpg-pubkey-1abd1afb-48d62ce0

zypper ar -f http://ftp.fau.de/packman/suse/openSUSE_Leap_42.1/ Packman
Adding repository 'Packman' .....................................................................................................[done]
Repository 'Packman' successfully added
Enabled     : Yes                                               
Autorefresh : Yes                                               
GPG Check   : Yes                                               
URI         : http://ftp.fau.de/packman/suse/openSUSE_Leap_42.1/

zypper ref
Refreshing service 'spacewalk'.
Retrieving repository 'Packman' metadata ........................................................................................[done]
Building repository 'Packman' cache .............................................................................................[done]
Repository 'openSUSE-42.1-Local' is up to date.                                                                                        
Repository 'openSUSE-Leap-42.1-Oss for x86_64' is up to date.                                                                          
Repository 'openSUSE-Leap-42.1-Pool for x86_64' is up to date.                                                                         
Repository 'openSUSE-Leap-42.1-Update-Oss for x86_64' is up to date.                                                                   
Repository 'susemanager-client-setup' is up to date.                                                                                   
All repositories have been refreshed.

So this time as I had pre-imported it didn’t ask for the key…

Hi
Correct, since the repo owner has not uploaded the keys, need to get from OBS;

Since we are not sure which one, you need to visit each repo and import locally, in this example one of my home repos, the info is all in the .repo directory, so use a browser for one;


http://download.opensuse.org/repositories/home:/malcolmlewis:/Miscellanous/openSUSE_Leap_42.1/
http://download.opensuse.org/repositories/home:/malcolmlewis:/Miscellanous/openSUSE_Leap_42.1/home:malcolmlewis:Miscellanous.repo

[home_malcolmlewis_Miscellanous]
name=Miscellaneous (openSUSE_Leap_42.1)
type=rpm-md
baseurl=http://download.opensuse.org/repositories/home:/malcolmlewis:/Miscellanous/openSUSE_Leap_42.1/
gpgcheck=1
gpgkey=http://download.opensuse.org/repositories/home:/malcolmlewis:/Miscellanous/openSUSE_Leap_42.1//repodata/repomd.xml.key
enabled=1

So it show which file contains the gpg key, we just need to grab it. Note it’s a common file, so as long as you know the repo, just substitute as required.


curl http://download.opensuse.org/repositories/home:/malcolmlewis:/Miscellanous/openSUSE_Leap_42.1//repodata/repomd.xml.key > mykey.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1110  100  1110    0     0   3500      0 --:--:-- --:--:-- --:--:--  3501

gpg2 --import mykey.txt
gpg: key 479DE3C9: public key "home:malcolmlewis OBS Project <home:malcolmlewis@build.opensuse.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: no ultimately trusted keys found

gpg2 --list-keys
/home/<username>/.gnupg/pubring.gpg
---------------------------------
pub   2048R/3DBDC284 2008-11-07 [expires: 2024-05-02]
uid        unknown] openSUSE Project Signing Key <opensuse@opensuse.org>

pub   1024R/307E3D54 2006-03-21 [expires: 2018-03-17]
uid        unknown] SuSE Package Signing Key <build@suse.de>

pub   4096R/1ABD1AFB 2006-09-18 [expires: 2024-09-12]
uid        unknown] PackMan Project (signing key) <packman@links2linux.de>

pub   2048R/479DE3C9 2015-01-25 [expires: 2017-04-04]
uid        unknown] home:malcolmlewis OBS Project <home:malcolmlewis@build.opensuse.org>

So if I had it present in the rpm database, I would be looking for 479DE3C9 to remove…

Awesome. It worked! Thanks :slight_smile:

BTW what is the GPG keys section in YaST -> Software Repositories for? If I remove a GPG key from there - will it give the same result or are the keys listed there for something else?

It is strange that I have 12 GPG keys there and 14 repos. Is that normal?

BTW I also have twice the Packman:

http://packman.inode.at/suse/openSUSE_Leap_42.1/
http://ftp.gwdg.de/pub/linux/packman/suse/openSUSE_Leap_42.1/ (this one is disabled)

Which one should i remove?

Hi
Yes, this will do the same thing :wink: But now you know what it’s doing… :wink:

Yes, the openSUSE distribution ones use the same key…

As long as one is disabled, you will be fine, if one hiccups then it’s easy to switch. I use spacewalk so all my repos are local and mirror.

Great. Thanks!

What is spacewalk?

Also I notice there are a lot of user repos and you also have one. Where are those hosted? How can one have own repo? I actually wonder how to create RPM packages for the Bacula which I recently compiled and put it somewhere online for others to use.

Hi
It’s a systems management application;

I use a commercial version from SUSE (SUSE Manager)…

Via the openSUSE Build Service (I even have a local OBS for some builds);
openSUSE Build Service

Thanks. It looks like a lot of learning is required :slight_smile:

Hi
A bit :wink:
https://en.opensuse.org/Portal:Packaging
https://en.opensuse.org/openSUSE:OSC

Thanks :slight_smile: I hope I will find the time for it.

I tried adding the keys for “hardware” and “multimedia:libs”, however they do not seem to get added.

# rpm -q gpg-pubkey 
gpg-pubkey-307e3d54-4be01a65
gpg-pubkey-3dbdc284-53674dd4
gpg-pubkey-6f88bb2f-54032bd3
gpg-pubkey-c862b42c-5389b0bf
gpg-pubkey-1abd1afb-54176598
gpg-pubkey-6867f5be-4d77cecd
gpg-pubkey-58ddeb32-53b79b7f
gpg-pubkey-7fac5991-4615767f
gpg-pubkey-c66b6eae-4491871e
gpg-pubkey-7c99e700-548c0c7c
gpg-pubkey-5c37d3be-51687863
gpg-pubkey-233ab63d-5486e781
# rpm --import /home/linus/D6D11CE4.gpg 
# rpm --import /home/linus/E1BF12F6.gpg 
# rpm -q gpg-pubkey 
gpg-pubkey-307e3d54-4be01a65
gpg-pubkey-3dbdc284-53674dd4
gpg-pubkey-6f88bb2f-54032bd3
gpg-pubkey-c862b42c-5389b0bf
gpg-pubkey-1abd1afb-54176598
gpg-pubkey-6867f5be-4d77cecd
gpg-pubkey-58ddeb32-53b79b7f
gpg-pubkey-7fac5991-4615767f
gpg-pubkey-c66b6eae-4491871e
gpg-pubkey-7c99e700-548c0c7c
gpg-pubkey-5c37d3be-51687863
gpg-pubkey-233ab63d-5486e781

I get the same result when trying to add the keys from YaST.

Hi
Your not missing a step?


STEP 1: curl http://download.opensuse.org/repositories/hardware/openSUSE_Leap_42.1//repodata/repomd.xml.key >hardware.key
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1085  100  1085    0     0   1068      0  0:00:01  0:00:01 --:--:--  1068

STEP 2: gpg2 --import hardware.key 

gpg: key D6D11CE4: public key "hardware OBS Project <hardware@build.opensuse.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: no ultimately trusted keys found

STEP 3: gpg2 --list-keys

pub   2048R/D6D11CE4 2014-09-16 [expires: 2016-11-24]
uid        unknown] hardware OBS Project <hardware@build.opensuse.org>

STEP 4: gpg2 --output D6D11CE4.gpg --armor --export D6D11CE4

STEP 5: ls D6*
D6D11CE4.gpg

STEP 6: Switch to root user

STEP 7: rpm -q gpg-pubkey
gpg-pubkey-307e3d54-4be01a65
gpg-pubkey-3dbdc284-53674dd4
gpg-pubkey-479de3c9-54c54991

STEP 8: rpm --import /home/....../D6D11CE4.gpg

STEP 9: rpm -q gpg-pubkey
gpg-pubkey-307e3d54-4be01a65
gpg-pubkey-3dbdc284-53674dd4
gpg-pubkey-479de3c9-54c54991
gpg-pubkey-d6d11ce4-5418547d

No, i repeated those exact commands, yet at the end the key is still not in the list.