Network / Signal signing keys

English Applications
1

Tl;Dr: Some dependencies of signal-desktop are signed using a key(17280ddf-669a9f64) that I could not find.
Is this a bug?

The current signing key for Network/Signal is

69a77d9a-68512177
426a a6b0 285c 2096 b70d 9fc2 5284 23a4 69a7 7d9a
https://build.opensuse.org/projects/network:im:signal/signing_keys

e.g.

rpm -Kv /var/cache/libdnf5/network_im_signal-ee3cd49d659d2827/packages/signal-desktop-7.58.0-1.1.x86_64.rpm 
/var/cache/libdnf5/network_im_signal-ee3cd49d659d2827/packages/signal-desktop-7.58.0-1.1.x86_64.rpm:
    Header V3 RSA/SHA256 Signature, key ID 69a77d9a: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V3 RSA/SHA256 Signature, key ID 69a77d9a: OK
    MD5 digest: OK

However, some dependencies are signed using a different (the previous?) key, including

  • libsignal
  • nodejs-electron
  • signal-sqlcipher
Signal
0080 689B E757 A876 CB7D C269 62EB 1A09 1728 0DDF
network OBS Project <network@build.opensuse.org>
RSA 2048
Fr 19 Jul 2024 19:16:20 CEST
So 27 Sep 2026 19:16:20 CEST
gpg-pubkey-17280ddf-669a9f64

rpm -Kv /var/cache/libdnf5/network_im_signal-ee3cd49d659d2827/packages/libsignal-0.72.1-1.1.x86_64.rpm
/var/cache/libdnf5/network_im_signal-ee3cd49d659d2827/packages/libsignal-0.72.1-1.1.x86_64.rpm:
    Header V3 RSA/SHA256 Signature, key ID 17280ddf: NOKEY
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V3 RSA/SHA256 Signature, key ID 17280ddf: NOKEY
    MD5 digest: OK

rpm -Kv /var/cache/libdnf5/network_im_signal-ee3cd49d659d2827/packages/nodejs-electron-35.5.1-1.1.x86_64.rpm 
/var/cache/libdnf5/network_im_signal-ee3cd49d659d2827/packages/nodejs-electron-35.5.1-1.1.x86_64.rpm:
    Header V3 RSA/SHA256 Signature, key ID 17280ddf: NOKEY
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V3 RSA/SHA256 Signature, key ID 17280ddf: NOKEY
    MD5 digest: OK

/var/cache/libdnf5/network_im_signal-ee3cd49d659d2827/packages/signal-sqlcipher-2.0.3-1.1.x86_64.rpm:
    Header V3 RSA/SHA256 Signature, key ID 17280ddf: NOKEY
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V3 RSA/SHA256 Signature, key ID 17280ddf: NOKEY
    MD5 digest: OK
2

Welcome to the openSUSE forums.

You tagged this thread as “other” when asked for the oprnSUSE version you use. That makes us the more curious which one you use!

3

Your package selection is inconsistent, contains outdated package versions and even no longer available packages.

signal-desktop-7.58.0-1.1 is available in the network repo
libsignal-0.72.1-1.1 is outdated and not available anymore in the network repo
nodejs-electron-35.5.1-1.1 is not available at all in the network repo
signal-sqlcipher-2.0.3-1.1 is outdated and not available anymore in the network repo

So you either have old packages in zypp cache or your repos are not setup properly.

If you download the actual package versions from the repo, all packages have the latest Key ID 69a77d9a

https://download.opensuse.org/repositories/network:/im:/signal/openSUSE_Tumbleweed/x86_64/

4

Hi,

i am using Fedora (actually: Nobara). In the Fedora 42 folder, libsignal 0.72.1-1.1 is still current:

https://download.opensuse.org/repositories/network:/im:/signal/Fedora_42/x86_64/

image
image1121Ă—403 46.2 KB

5

The package selection has over half month difference between build dates. So it is possible, that old packages use an old key ID but new builds use a new key when the old one expired.

6

so - what is the takeaway? Is https://download.opensuse.org/repositories/network:/im:/signal/Fedora_42/ deprecated? Are parts of the packages not build by accident?

Install package network:im:signal / signal-desktop links to download.opensuse.org/repositories/network:/im:/signal/Fedora_42/ therefore i assumed it was the way to go.

7

I have a problem with „libsignal-0.72.1-1.1.x86_64“ as well. Public key not installed. I was following
dnf config-manager addrepo --from-repofile=https://download.opensuse.org/repositories/network:im:signal/Fedora_42/network:im:signal.repo
dnf install signal-desktop
Anyone knows how I get this running?

OpenPGP-Prüfung für Paket „libsignal-0.72.1-1.1.x86_64“ (/var/cache/libdnf5/network_im_signal-ee3cd49d659d2827/packages/libsignal-0.72.1-1.1.x86_64.rpm) aus Repository „network_im_signal“ ist fehlgeschlagen: Öffentlicher Schlüssel ist nicht installiert.

8

You are using Nobara Linux. As this is the openSUSE forum and openSUSE uses zypper by default (instead of DNF), your questions may be better served at the Nobara/Fedora forum.

But in general you can overcome such issues temporarily by disabling the gpg check for DNF via:
sudo dnf --nogpgcheck install <packagenamehere>

1 Like
9

I am using Fedora 42 not Nobara
and Install package network:im:signal / signal-desktop
is showing Fedora install commands

Many thanks for the command, it worked.