It says the keys are invailid and may have been signed by an attacker. Has anyone got this for the latest update? Here is the error output:
Retrieving repository ‘google-chrome’ metadata -------------------------------------------] Signature verification failed for file ‘repomd.xml’ from repository ‘google-chrome’. Warning: This might be caused by a malicious change in the file!
**Continuing might be risky. Continue anyway? [yes/no] (no): **no
Retrieving repository ‘google-chrome’ metadata …[error]
Repository ‘google-chrome’ is invalid.
[google-chrome|http://dl.google.com/linux/chrome/rpm/stable/x86_64] Valid metadata not found
at specified URL
Please check if the URIs defined for this repository are pointing to a valid repository.
Warning: Skipping repository ‘google-chrome’ because of the above error.
Some of the repositories have not been refreshed because of an error.
Loading repository data…
Reading installed packages…
‘google-chrome-stable = 0:50.0.2661.86-1’ is already installed.
No update candidate for ‘google-chrome-stable-50.0.2661.86-1.x86_64’. The highest available v
ersion is already installed.
Resolving package dependencies…
This is for an update that is available after 50.0.2662.86
My software updater originally gave me a warning that an update is available but was unable to authenticate the signature
I just ran zypper update, did ‘Continue anyway’ and got “google-chrome-stable-50.0.2661.94-1.x86_64” as a version, which is an update.
I hope this version fixes the issue of when I try to open links from Thunderbird - it crashes Chrome, then opens the link, and I get a popup to ‘Restore lost pages’ or some such. Is anyone else getting that?
Update: Someone has linked this to a Chromium bug related to the deprecation of SHA1. If that’s a valid association, that means the problem has been ongoing for a month and a half. Don’t expect a speedy resolution.
In the mean time, I guess we’re stuck with downloading and updating our Chrome installs manually.
I guess I’m not being paranoid after all. What’s the use of having certificate validation if they are not coming up as valid. In this day and age of security threats, I am waiting also. I realize there is an update waiting, but to me it makes no sense to install the update if it has even a possibility of having a man in the middle. I rather run my browser in an older version than install one that has been (potentially) hacked. It not only breaths danger into my rig but I could also potentially spread what ever could potentially be bad. To me that is not linuxing responsibly.
I’m going to just keep this thread open until I get a response from google. They preach security , security, security, and they screw the pooch on their certificates. I guess they think everyone runs windows and don’t know enough to check validity of fingerprints on certs…