Repository signature required

geuder · January 13, 2011, 1:23pm

Today, shortly after booting my OpenSUSE 11.3 I got this popup.

http://img259.imageshack.us/img259/9658/reposignature.png

I guess it was caused by the Updater Applet when checking the repos for new updates.
But what does it mean? Why do I get this now and not when adding the repo. It seems to belong to the filesystems repo and I have indeed added that some time ago (in order to install davfs2)

I’m not sure what it means to accept a signature.

Normally with public key infrastructure, you need to accept other’s public keys or certificates containing their public keys. And before doing so you need to verify the fingerprint, otherwise the whole procedure is useless, because it might be a fake certificate / man in the middle talking to you.

Once you have accepted (trusted) the public key (or a certificate containing it), the system will check signatures for you. So the question “do you want accept this signature” sounds weird to me.

In openSUSE repos I have come across fingerprints many times before. But whenever I have searched google in order to verify the fingerprint I have not received any useful hit. I would have expected that valid keys and their fingerprints are listed on some web site.

A related question has been asked in

but there has not been any answer.

stamostolias · January 13, 2011, 1:29pm

Go to yast–>software repositories and check if the repository exist, if not choose yes and continue.

geuder · January 13, 2011, 1:38pm

Yes, I have looked at it and not seen anything special with the filesystem repo

How do I check whether it exists? I have installed davfs2 from there recently, so I’m quite positive that the repo exists. And if it asks me about a signature today, the reason is probably not the repo would have been deleted.

stamostolias · January 13, 2011, 1:41pm

Well you go here http://file:///home/stamos/στιγμιότυπο5.png

and you see if exist this repository.

stamostolias · January 13, 2011, 1:44pm

On panel which are installed repositories you see if exist

stamostolias · January 13, 2011, 4:34pm

I mean this panel http://opensuse-guide.org/images/screenshots/yast-repos.png

gogalthorp · January 13, 2011, 5:14pm

You may be required to accept a key when adding a new repo, after all your OS does not know the key yet. Also sometime the keys change (they have limited lifetimes) so you will need to accept the new key.

geuder · January 14, 2011, 2:03pm

I think that might actually explain why I got the prompt many days after I had added the repo. The first time there was a warning the key had expired, and the key displayed had actually expired several months before. (At least I got such a warning with some repo I added recently. Can’t swear 100% it was this one, but very likely)

So either the key has now been replaced with a valid one, which I need to accept for the first time or trust for expired ones is not stored forever (I made have actually the choice this time only, don’t remember the details now.)

This answers the question why some acceptance was required when updater applet run, many days after the repo was first added and already used for installation.

Remain the questions from my original post

What does it mean to “accept a signature” as displayed in the prompt. There is no such action according to my understanding of public key cryptography. Just poorly worded UI dialog or something I don’t understand?
From what source do I check whether fingerprints of OpenSUSE repo signing keys are correct?