More weird problems with repo signatures

English Applications
#1

Today I had a weird message from zypper. Note that this is the “sane” system with respect to the problems I explained in this thread.
I was working with packages (to fix a problem in Libreoffice 6) when zypper told me one of my repos was in need of a refresh.

So I issued a “sudo zypper ref” and got this (italian, sorry):

cristiano@xmper8q3 ~]$ sudo zypper ref 
Il repository 'Insync' è aggiornato. 
Recupero dei metadati del repository 'Visual Studio Code' -----------------------------------------------------------------------------------------------------------------------------\] 
Verifica della firma errata per il file 'repomd.xml' dal repository 'Visual Studio Code'. 


   Nota: La firma dei dati consente al ricevente di verificare che non siano occorse modifiche 
   successivamente al momento della firma. L'accettazione di dati senza firma oppure con firma 
   errata o sconosciuta può comportare la corruzione del sistema e in casi estremi può anche 
   comprometterlo. 


   Nota: Il file 'repomd.xml' è il file di indice mastro dei repository. Assicura l'integrità 
   dell'intero repository. 


   Avvertenza: Questo file è stato modificato dopo essere stato firmato. Potrebbe trattarsi di una 
   modifica malevola, pertanto potrebbe non essere più attendibile. È sconsigliato continuare a 
   meno che non si sia certi che ciò sia sicuro. 


Verifica della firma errata per il file 'repomd.xml' dal repository 'Visual Studio Code'. Continuare? [sì/no] (no): 
Recupero dei metadati del repository 'Visual Studio Code' ........................................................................................................................[errore] 
Il repository 'Visual Studio Code' non è valido. 
[code|https://packages.microsoft.com/yumrepos/vscode] Non sono stati trovati metadati validi all'URL specificato 
Verificare che gli URI definiti per questo repository puntino a un repository valido. 
Esclusione del repository 'Visual Studio Code' a causa dell'errore precedente. 
Il repository 'home:colomboem' è aggiornato. 
Il repository 'packman' è aggiornato. 
Il repository 'repo-debug' è aggiornato. 
Il repository 'repo-non-oss' è aggiornato. 
Il repository 'repo-oss' è aggiornato. 
Il repository 'repo-update' è aggiornato. 
Il repository 'snappy' è aggiornato. 
Il repository 'Sublime Text - x86_64 - Stable' è aggiornato. 
Il repository 'telred-opensuse-42.2' è aggiornato. 
Il repository 'vivaldi-beta' è aggiornato. 
Alcuni repository non sono stati aggiornati a causa di un errore.

More or less it says that the signatures for the “Visual Studio Code” repo does not verifies correctly, so that repo file could have been tampered with.

So I thought about getting the same message in english to post it in this forum. But when I issued “LANG=C sudo zypper ref” I did not get the error:

cristiano@xmper8q3 ~]$ LANG=C sudo zypper ref 
Repository 'Insync' is up to date. 
Repository 'Visual Studio Code' is up to date. 
Repository 'home:colomboem' is up to date. 
Repository 'packman' is up to date. 
Repository 'repo-debug' is up to date. 
Repository 'repo-non-oss' is up to date. 
Repository 'repo-oss' is up to date. 
Repository 'repo-update' is up to date.                      
Repository 'snappy' is up to date.                   
Repository 'Sublime Text - x86_64 - Stable' is up to date. 
Repository 'telred-opensuse-42.2' is up to date. 
Repository 'vivaldi-beta' is up to date. 
All repositories have been refreshed.

I issued it another time just to be sure: no error at all (and zypper did not even say that the “Visual Studio Code” repo was in need of a refresh).

So I issued it another time without the LANG=C env var, and the error was back!!

I am really puzzled. How can it be that zypper behaves differently based on the locale?

Please help…
Cris

#2

Forgot to add the list of my repos:

cristiano@xmper8q3 ~]**$** LANG=C zypper lr -d
Repository priorities in effect:                                                                                                                          (See 'zypper lr -P' for details)
      98 (raised priority)  :  1 repository
      99 (default priority) : 10 repositories
     100 (lowered priority) :  1 repository

#  | Alias                | Name                           | Enabled | GPG Check | Refresh | Priority | Type   | URI                                                                      
      | Service
---+----------------------+--------------------------------+---------+-----------+---------+----------+--------+--------------------------------------------------------------------------------+--------
 1 | Insync               | Insync                         | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://yum.insynchq.com/fedora/25/                                       
      |
 2 | code                 | Visual Studio Code             | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | https://packages.microsoft.com/yumrepos/vscode                           
      |
 3 | dukto                | home:colomboem                 | Yes     | (r ) Yes  | Yes     |  100     | rpm-md | http://download.opensuse.org/repositories/home:/colomboem/openSUSE_Tumbleweed/ |
 4 | packman              | packman                        | Yes     | (r ) Yes  | Yes     |   98     | rpm-md | http://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Tumbleweed/      
      |
 5 | repo-debug           | repo-debug                     | Yes     | (r ) Yes  | Yes     |   99     | yast2  | http://download.opensuse.org/tumbleweed/repo/debug                       
      |
 6 | repo-non-oss         | repo-non-oss                   | Yes     | (r ) Yes  | Yes     |   99     | yast2  | http://download.opensuse.org/tumbleweed/repo/non-oss                     
      |
 7 | repo-oss             | repo-oss                       | Yes     | (r ) Yes  | Yes     |   99     | yast2  | http://download.opensuse.org/tumbleweed/repo/oss                         
      |
 8 | repo-update          | repo-update                    | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/update/tumbleweed/                          
      |
 9 | snappy               | snappy                         | Yes     | (r ) Yes  | No      |   99     | rpm-md | http://download.opensuse.org/repositories/system:/snappy/openSUSE_Tumbleweed/  |
10 | sublime-text         | Sublime Text - x86_64 - Stable | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | https://download.sublimetext.com/rpm/stable/x86_64                       
      |
11 | telred-opensuse-42.2 | telred-opensuse-42.2           | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | https://tel.red/repos/opensuse/42.2/                                     
      |
12 | vivaldi-beta         | vivaldi-beta                   | Yes     | ( p) Yes  | Yes     |   99     | rpm-md | http://repo.vivaldi.com/snapshot/rpm/x86_64/

Cris

#3

…a couple hours later: zypper does not want me to refresh the “Visual Studio Code” repo anymore :o:O:sarcastic:

Oh my, what a mess! :frowning:

Cris

#4

that’s a 3rd party repo any issues with that repo should be reported to microsoft only microsoft can fix it there is nothing opensuse can do about it

#5

Hi I_A!

Yes, you’re right: it’s a third party repo. But to me this is not normal behaviour. Would you expect zypper to behave this way with whatever repository?

Cris

#6

Sure if the signage is wrong it is wrong you should be told. Could be a cert simply was too old or the rpm was new and the cert had yet to be updated. This is MS you know :open_mouth:

#7

according to google translate the pgp keyfile in https://packages.microsoft.com/yumrepos/vscode/repodata/repomd.xml has been altered since the repo was created
the simplest fix would be to remove and then re-add that repo then the stored key would be the same as the repo key
I suspect the Visual Studio Code rpm automatically adds the repo during install so remove the repo and reinstall visual studio code

zypper rr 2
zypper in -f https://packages.microsoft.com/yumrepos/vscode/code-1.19.3-1516876593.el7.x86_64.rpm

if that doesn’t readd the repo you can add it manually

zypper ar -f -n 'Visual Studio Code' https://packages.microsoft.com/yumrepos/vscode code

or just ignore the error and wait for MS to fix it, this is normal behavior for zypper I’d suggest ignoring the error and waiting for MS to fix it.
I remember I had similar issues with the Microsoft Skype repo but they got around to fixing

#8

Hi I_A and gogalthorp!

I suppose my initial message was not clear enough… I’m not so good at explaining things.

The problem is not that the repo signage was wrong… it can happen, when a repo maintainer changes the key or he manages to **** up the repo somehow.

But if you look at my initial message, you’ll see that zypper was telling me that there was a problem in that repo only when I was launching it normally. When I was launching it with the LANG=C environment variable, it did not tell me anything, as if the repo was perfectly fine!

I repeated the experiment a couple of times, switching between the two command lines, to verify the behavior: it would always behave as outlined above! It does not seem normal to me.

Then, after a while, without messing with zypper or the repository configuration, zypper stopped complaining! This, too, does not seem normal, but could be justified by the fact that the repo maintainer fixed up the repo signage. But what about the inconsistent behavior that zypper showed previously?

Cris

#9

Bug report?

#10

Hi deano!

Thank you deano, I just wanted to know if anybody else found it strange or if it was just me, before filing a bug.
I’ll wait to see if I can reproduce it next time I have a signing problem, then I’ll file a bug report.

Cris