I'm asked every time I run "zypper up" to trust or reject a new repo key

Hi,
I have this annoying thing in wich every time I run “zypper up” I’m asked to either trust temporarily, trust always or reject a new key for one or more repos. No matter what I choose, after a reboot if I run “zypper up” again I have to “trust” it again. Due to this the update applet doesn’t automatically install updates also.
It happened also on my previous 42.1 instance with the ownCloud repo.

Hi, showing the result of:


zypper lr -d

and telling which repos ask for trusting new keys might help experts to understand the problem and provide help.

# | Alias                               | Name                               | Enabled | GPG Check | Refresh | Priority | Type   | URI                              
                                                    | Service
--+-------------------------------------+------------------------------------+---------+-----------+---------+----------+--------+----------------------------------
----------------------------------------------------+--------
1 | download.opensuse.org-non-oss_1     | Update Repository (Non-Oss)        | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/upda
te/leap/42.2/non-oss/                               |         
2 | download.opensuse.org-oss           | Main Repository (OSS)              | Yes     | (r ) Yes  | Yes     |   99     | yast2  | http://download.opensuse.org/dist
ribution/leap/42.2/repo/oss/                        |         
3 | download.opensuse.org-oss_1         | Main Update Repository             | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/upda
te/leap/42.2/oss/                                   |         
4 | home_lemmy04                        | Miscellaneous (openSUSE_Leap_42.2) | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/repo
sitories/home:/lemmy04/openSUSE_Leap_42.2/          |         
5 | http-download.opensuse.org-03a89f56 | isv:ownCloud:desktop               | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/repo
sitories/isv:/ownCloud:/desktop/openSUSE_Leap_42.2/ |         
6 | http-download.opensuse.org-33e40bdf | openSUSE:Leap:42.2                 | Yes     | (r ) Yes  | Yes     |   99     | yast2  | http://download.opensuse.org/dist
ribution/leap/42.2/repo/oss/                        |         
7 | http-download.opensuse.org-d5d4464c | openSUSE:Leap:42.2:Update          | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/repo
sitories/openSUSE:/Leap:/42.2:/Update/standard/     |         
8 | packman                             | packman                            | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://ftp.gwdg.de/pub/linux/misc
/packman/suse/openSUSE_Leap_42.2/                   |        




Repo 4 and 5

Just checked with the ownCloud repo, everything normal here after having accepted the “trust always” option, even after a reboot.
Will check again in the next few days to see if updates to the repo are relevant.

Just tried installing a .rpm file and it popped up again


**New repository or package signing key received:**

  Repository:       Miscellaneous (openSUSE_Leap_42.2)                         
  Key Name:         home:lemmy04 OBS Project <home:lemmy04@build.opensuse.org>
  Key Fingerprint:  0C9C5AAD 63DD3FE6 15FCCE42 ECA8B1AC 0C549D96               
  Key Created:      Thu 06 Oct 2016 02:22:17 PM EEST                           
  Key Expires:      Sat 15 Dec 2018 01:22:17 PM EET                            
  Rpm Name:         gpg-pubkey-0c549d96-57f633e9                               


Do you want to reject the key, trust temporarily, or trust always? **[r/t/a/? shows all options] (r): **a


This looks weird… the same key downloaded and imported reads “Created 2014-11-22”, while expiry and fingerprint match those reported by zypper.
So a key seen by zypper as created on “Thu Oct 6 13:22:17 2016” looks indeed “new” if compared to what Seahorse (Gnome password and key manager) understands?

I don’t remember exactly, but IIRC the dates for the ownCloud key matched.

I disabled the Misc repo to see what happens now. Weird!

Maybe I can shed some light on the issue.
The binary for the lemmy repo key reads:


Version: **GnuPG v1.4.5** (GNU/Linux)

But gpg 2 currently on Leap 42.2 is:


bruno@LT_B:~> gpg2 --version
**gpg (GnuPG) 2.0.24**

so that the lemmy key is apparently read wrong, while the ownCloud key, whose binary reads “Version: GnuPG v2.0.15 (GNU/Linux)”, is** read correct**:


bruno@LT_B:~> gpg2 --list-sigs
/home/bruno/.gnupg/pubring.gpg
------------------------------
pub   2048R/0C549D96 **2014-11-22** [expires: 2018-12-15]
uid        unknown] home:lemmy04 OBS Project <home:lemmy04@build.opensuse.org>
sig 3        0C549D96 **2016-10-06**  home:lemmy04 OBS Project <home:lemmy04@build.opensuse.org>
sig 3        6B9D6523 **2014-11-22**  [User ID not found]

pub   2048R/557BEFF9 **2016-09-25** [expires: 2018-12-04]
uid        unknown] isv:ownCloud OBS Project <isv:ownCloud@build.opensuse.org>
sig 3        557BEFF9 **2016-09-25**  isv:ownCloud OBS Project <isv:ownCloud@build.opensuse.org>
sig 3        6B9D6523 **2016-09-25**  [User ID not found]

bruno@LT_B:~> 

Accordingly, Yast2-Software repositories reads:


Key: ECA8B1AC0C549D96
Name: home:lemmy04 OBS Project <home:lemmy04@build.opensuse.org>
Finger Print: 0C9C5AAD63DD3FE615FCCE42ECA8B1AC0C549D96
Created: **06/10/2016**
Expires: 15/12/2018

I’m not an expert, so I stop here, noting that apparently lemmy uses a key made with an older (incompatible?) version of gpg, while at the moment the ownCloud key seems OK.
As a workaround for the time being you might consider disabling gpg check for that repo, or even tuning your zypper config.

Quoting from the default zypp.conf on my system:

Signature checking (repodata and rpm packages)

boolean gpgcheck (default: on)

boolean repo_gpgcheck (default: unset -> according to gpgcheck)

boolean pkg_gpgcheck (default: unset -> according to gpgcheck)

If ‘gpgcheck’ is ‘on’ we will either check the signature of repo metadata

(packages are secured via checksum in the metadata), or the signature of

an rpm package to install if it’s repo metadata are not signed or not

checked.

The default behavior can be altered by explicitly setting ‘repo_gpgcheck’ and/or

‘pkg_gpgcheck’ to perform those checks always (if ‘on’) or never (if ‘off’).

Explicitly setting ‘gpgcheck’, ‘repo_gpgcheck’ ‘pkg_gpgcheck’ in a

repositories .repo file will overwrite the defaults here.

DISABLING GPG CHECKS IS NOT RECOMMENDED.

Signing data enables the recipient to verify that no modifications

occurred after the data were signed. Accepting data with no, wrong

or unknown signature can lead to a corrupted system and in extreme

cases even to a system compromise.

repo_gpgcheck = unset -> according to gpgcheck

pkg_gpgcheck = unset -> according to gpgcheck

I can confirm this on Tumbleweed with the repos home:winski and KDE:Extra.

Additionally, I tried to manually import the keys in Yast2 -> Software Repositories. After adding them, they’re listed in the GPG Keys section. But after refreshing, the keys are gone.