Lately I’ve been getting this error when I run zypper dup:
sudo zypper dup
Signature verification failed for file ‘repomd.xml’ from repository ‘Main Repository (NON-OSS)’.
Note: Signing data enables the recipient to verify that no modifications occurred after the data
were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
and in extreme cases even to a system compromise.
Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
Warning: This file was modified after it has been signed. This may have been a malicious change,
so it might not be trustworthy anymore! You should not continue unless you know it's safe.
Is it safe to ignore this error? For what it’s worth, I’m using repos from https://mirrorcache-us. Does that make a difference?
As you are actually not showing your repolist…nobody can tell…
zypper lr -d
I just now did a zypper dup on my desktop … no probs with “non-oss” and all the other repos (resolving to mirrorcache):
Retrieving: http://download.opensuse.org/tumbleweed/repo/non-oss/repodata/repomd.xml ...[done (9.8 KiB/s)]
Key Fingerprint: AD48 5664 E901 B867 051A B15F 35A2 F86E 29B7 00A4
Key Name: openSUSE Project Signing Key <firstname.lastname@example.org>
Key Algorithm: RSA 4096
Key Created: Mon Jun 20 09:03:14 2022
Key Expires: Fri Jun 19 09:03:14 2026
Rpm Name: gpg-pubkey-29b700a4-62b07e22
Retrieving: http://mirrorcache-us.opensuse.org/tumbleweed/repo/non-oss/repodata/811335e9 [done (160.1 KiB/s)]
Retrieving: http://mirrorcache-us.opensuse.org/tumbleweed/repo/non-oss/repodata/c197a80f [done (3.2 KiB/s)]
Retrieving repository 'openSUSE-Tumbleweed-Non-Oss' metadata ............................[done]
Thanks for checking. I waited a while and tried again without any errors. But that error seems to happen randomly, so I guess for safety I should abort and try again later.
Yes, you’ve got it. When that happens, just wait a while and then try again.