For a few days i get a “signature verification failed” error for the microsoft teams repository. I checked the url: https://packages.microsoft.com/yumrepos/ms-teams/ and everything seemed fine. But the error is annoying. Is there a way to trust the signature again? I tried
How do you remove the signature? That link goes to a German language page general description of how to install microsoft’s key and repository, but doesn’t say anything about how to actually remove the signature.
I tried to identify where the signature file is by checking the specific rpm that I have installed from that repository, but I could not figure it out. Here is what I did:
> rpm -qa | grep teams
**teams**-1.5.00.10453-1.x86_64
**teams**-insiders-1.5.00.23861-1.x86_64
> rpm -K --nosignature teams-1.5.00.10453-1.x86_64
error: teams-1.5.00.10453-1.x86_64: open failed: No such file or directory
I could not find where to delete the key for the repository and install it again. So I tried to unintall the repository and install it again, and I still get the same “signature verification failed” error as the OP.
Unfortunately, after deleting microsoft’s rpm key and then re-installing it, the “signature verification failed” error is still there. I guess we will have to wait to see what the bug is from microsoft, and since they are not open-source, who knows how long it will take.
bor@bor-Latitude-E5450:~/tmp$ curl -LO https://packages.microsoft.com/yumrepos/ms-teams/repodata/repomd.xml
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3085 100 3085 0 0 7894 0 --:--:-- --:--:-- --:--:-- 7910
bor@bor-Latitude-E5450:~/tmp$ curl -LO https://packages.microsoft.com/yumrepos/ms-teams/repodata/repomd.xml.asc
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 492 100 492 0 0 1418 0 --:--:-- --:--:-- --:--:-- 1421
bor@bor-Latitude-E5450:~/tmp$ mkdir gpg
bor@bor-Latitude-E5450:~/tmp$ LC_ALL=C gpg --homedir $PWD/gpg --keyserver hkps://keyserver.ubuntu.com/ --receive-keys EB3E94ADBE1229CF
gpg: WARNING: unsafe permissions on homedir '/home/bor/tmp/gpg'
gpg: keybox '/home/bor/tmp/gpg/pubring.kbx' created
gpg: /home/bor/tmp/gpg/trustdb.gpg: trustdb created
gpg: key EB3E94ADBE1229CF: public key "Microsoft (Release signing) <gpgsecurity@microsoft.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
bor@bor-Latitude-E5450:~/tmp$ LC_ALL=C gpg --homedir $PWD/gpg repomd.xml.asc
gpg: WARNING: unsafe permissions on homedir '/home/bor/tmp/gpg'
gpg: WARNING: no command supplied. Trying to guess what you mean ...
gpg: assuming signed data in 'repomd.xml'
gpg: Signature made Mon Sep 19 14:43:14 2022 MSK
gpg: using RSA key EB3E94ADBE1229CF
gpg: **BAD signature from "Microsoft (Release signing) <gpgsecurity@microsoft.com>"** [unknown]
bor@bor-Latitude-E5450:~/tmp$
We had this topic already several times here in the forum with the Google Chrome repo where it helped to remove the gpg-pubkey and re-add it. This can help when the key was exchanged upstream but your local copy is still an old one.
It is possible that this is not the case here.