Signature verification failed when running zypper refresh

English Install/Boot/Login
1

When I run zypper refresh, zypper keeps saying “Signature verification failed for file ‘repomd.xml’ from repository” in both openSUSE 15.4 Windows Subsystem for Linux and in an openSUSE 15.4 VirtualBox VM. This problem started on August 17th, 2022.

I’ve tried:
* resetting WSL and reinstalling it, neither of those actions helped.
* also tried rm -rf /var/cache/zypp as suggested at the following link which doesn’t help either.
https://stackoverflow.com/questions/69170447/signature-verification-for-repository-hardware-failed-and-update-error-repositor
* Another step I tried was rpm -e gpg-pubkey-307e3d54-5aaa90a5 gpg-pubkey-3dbdc284-53674dd4 gpg-pubkey-39db7c82-5f68629b gpg-pubkey-65176565-61a0ee8f and then zypper refresh but after accepting the gpg key I get the same “signature verification failed” error.
* Rebooting Windows also doesn’t fix the signature verification failed error.
* Toggling WSL in “Turn Windows Features on or off”

  • Downloading newer versions of the gpg2, libgpgme11 and libgpg-error0 libraries from software.opensuse.org and manually installing with rpm -U.

Two days ago an update for Windows Defender was installed KB2267602 (Version 1.373.627.0)

Versions (WSL):
openSUSE 15.4
zypper 1.14.52 (1.14.53 after messing around in /var/cache/zypp and then updating)
libzypp 17.30.2
gpg 2.2.27
libgcrypt 1.9.4-unknown
uname -a: Linux MSI 4.4.0-19041-Microsoft #1237-Microsoft Sat Sep 11 14:32:00 PST 2021 x86_64 x86_64 x86_64 GNU/Linux
Windows Subsystem for Linux 1.
Windows 10 21H2 (OS Build 19044.1889)

Versions (VB):
VirtualBox 6.1.34 r150636 (Qt 5.6.2)
zypper 1.14.52
libzypp 17.30.0
gpg 2.2.27
libgcrypt 1.9.4-unknown
virtualbox-guest-tools 6.1.32
virtualbox-guest-x11 6.1.32
virtualbox-kmp-default 6.1.32
uname -a Linux localhost.localdomain 5.14.21-150400.22-default #1 SMP PREEMPT_DYNAMIC Wed May 11 06:57:18 UTC 2022 (49db222) x86_64 x86_64 x86_64 GNU/Linux

The affected repositories are:
“Update repository of openSUSE Backports”
“Non-OSS Repository”
“Main Repository”
“Update repository with updates from SUSE Linux Enterprise 15”
“Main Update Repository”
“Update Repository (Non-Oss)”

Here is the error I get from zypper refresh:


Retrieving repository 'Update repository of openSUSE Backports' metadata ..
Signature verification failed for file 'repomd.xml' from repository 'Update repository of openSUSE Backports'.

    Note: Signing data enables the recipient to verify that no modifications occurred after the data
    were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
    and in extreme cases even to a system compromise.

    Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
    whole repo.

    Warning: This file was modified after it has been signed. This may have been a malicious change,
    so it might not be trustworthy anymore! You should not continue unless you know it's safe.

Signature verification failed for file 'repomd.xml' from repository 'Update repository of openSUSE Backports'. Continue? [yes/no] (no):

If I answer Yes, I see the following message:


Error building the cache: 
[repo-backports-update|http://download.opensuse.org/update/leap/15.4/backports/] Failed to cache repo (1).
History: 
 - 'repo2solv' '-o' '/var/cache/zypp/solv/repo-backports-update/solv' '-X' '/var/cache/zypp/raw/repo-backports-update'
   /var/cache/zypp/raw/repo-backports-update/repodata/repomd.xml: repo_repomdxml: Document is empty
    at line 1:1
   Command exited with status 1.

Skipping repository 'Update repository of openSUSE Backports' because of the above error.

I’ve checked in /var/cache/zypp and the file isn’t empty. It is actually a gzipped file. If I run the commands

mv repomd.xml{,.gz};gunzip repomd.xml.gz

in the /var/cache/zypp/raw/repo-backports-update/repodata/ folder, and then do the same for the other repo-foo/repodata folders in /var/cache/zypp/raw, then I can successfully do a

zypper --no-refresh up

and can update some packages.

zypper lr -d:


#  | Alias                       | Name                                                                                        | Enabled | GPG Check | Refresh | Priority | Type   | URI                                                                     | Service
---+-----------------------------+---------------------------------------------------------------------------------------------+---------+-----------+---------+----------+--------+-------------------------------------------------------------------------+--------
 1 | repo-backports-debug-update | Update repository with updates for openSUSE Leap debuginfo packages from openSUSE Backports | No      | ----      | ----    |   99     | NONE   | http://download.opensuse.org/update/leap/15.4/backports_debug/          | 
 2 | repo-backports-update       | Update repository of openSUSE Backports                                                     | Yes     | ( p) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/update/leap/15.4/backports/                | 
 3 | repo-debug                  | Debug Repository                                                                            | No      | ----      | ----    |   99     | NONE   | http://download.opensuse.org/debug/distribution/leap/15.4/repo/oss/     | 
 4 | repo-debug-non-oss          | Debug Repository (Non-OSS)                                                                  | No      | ----      | ----    |   99     | NONE   | http://download.opensuse.org/debug/distribution/leap/15.4/repo/non-oss/ | 
 5 | repo-debug-update           | Update Repository (Debug)                                                                   | No      | ----      | ----    |   99     | NONE   | http://download.opensuse.org/debug/update/leap/15.4/oss/                | 
 6 | repo-debug-update-non-oss   | Update Repository (Debug, Non-OSS)                                                          | No      | ----      | ----    |   99     | NONE   | http://download.opensuse.org/debug/update/leap/15.4/non-oss/            | 
 7 | repo-non-oss                | Non-OSS Repository                                                                          | Yes     | ( p) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/distribution/leap/15.4/repo/non-oss/       | 
 8 | repo-oss                    | Main Repository                                                                             | Yes     | ( p) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/distribution/leap/15.4/repo/oss/           | 
 9 | repo-sle-debug-update       | Update repository with debuginfo for updates from SUSE Linux Enterprise 15                  | No      | ----      | ----    |   99     | NONE   | http://download.opensuse.org/debug/update/leap/15.4/sle/                | 
10 | repo-sle-update             | Update repository with updates from SUSE Linux Enterprise 15                                | Yes     | ( p) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/update/leap/15.4/sle/                      | 
11 | repo-source                 | Source Repository                                                                           | No      | ----      | ----    |   99     | NONE   | http://download.opensuse.org/source/distribution/leap/15.4/repo/oss/    | 
12 | repo-update                 | Main Update Repository                                                                      | Yes     | ( p) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/update/leap/15.4/oss/                      | 
13 | repo-update-non-oss         | Update Repository (Non-Oss)                                                                 | Yes     | ( p) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/update/leap/15.4/non-oss/                  |

zypper.log.gz.base64
Strace of zypper refresh

2

This can happen when you’re being redirected to a mirror that is out of sync. It may help to edit the offending repo file, changing download.opensuse.org to mirrorcache.opensuse.org. If that doesn’t help, goto mirrors.opensuse.org, find a specific mirror near you, and change the URI to it instead. Keep trying different mirrors if necessary until the failure ceases. If you can determine which mirror(s) is/are causing this, you can report via email to admin@opensuse.org.

3

Thanks, changing download.opensuse.org to mirrorcache.opensuse.org in my enabled repositories did the trick. I can refresh and update just fine now. :slight_smile: However, I have another problem, yast2 crashes on exit after editing the repo urls in Software Repositories, using the ncurses interface.

Mirrorcache doesn’t seem to have the update (debug non-oss) repository; yast gives me the error

Unable to create repository from URL 'http://mirrorcache.opensuse.org/debug/update/leap/$releasever/non-oss/' Change the URL and try again?

After editing the repository urls in YaST2, it dumps core when I exit yast:


> sudo /sbin/yast2
[sudo] password for root:  
/sbin/yast: line 468:  6844 Aborted                 (core dumped) $ybindir/y2start $module "$@" "$SELECTED_GUI" $Y2_GEOMETRY $Y2UI_ARGS

I tried gdb on /sbin/yast2 but apparently it’s a shell script. Also line 468 is just fi and the y2start command is actually on line 455.

Yast2 is version: yast2-4.4.47-150400.1.7.x86_64
Ruby version: ruby 2.5.9p229 (2021-04-05 revision 67939) [x86_64-linux-gnu]

To reproduce:

  1. sudo /sbin/yast2
  2. software repositories
  3. Edit main repository
  4. Edit parts of URL
  5. Change download.opensuse.org to mirrorcache.opensuse.org or vice versa
  6. OK (wait for autorefresh)
  7. Answer no at the GPG check failed prompt
  8. Edit the Main Repository URL again changing back to original server name in step 5
  9. OK (wait for autorefresh)
  10. OK again to exit
  11. Quit
4

Here’s the YaST2 logs:
https://pastebin.com/VtGnkTAs yast2 y2log
https://pastebin.com/PjR6fBt3 YaST2 y2start.log

I was going to edit my previous post to include these logs, but it has been more than 10 minutes, so I can’t edit it.

To decode the logs from pastebin which are in base64:

  1. Click the small download link above the pastebin textbox
  2. Run
base64 -di file.gz.base64 | gunzip -c > file.txt

replacing the file.gz.base64 part with the file you downloaded.

5

New problem needs new thread, appropriately titled to attract interest of possible responders.

As directed in comment #2, try a specific mirror if mirrorcache.opensuse.org also fails. Mirrorcache could be sending you to the same place failing using download.opensuse.org.

All my repo maintence is done via text editor. Each .repo file in /etc/zypp/repos.d/ can be directly edited to change the URI. You probably have no need of the debug repo. Changing its filename’s suffix to anything other than .repo will disable it, as will editing its content to include enabled=0 instead of =1, which is what YaST would do to disable it.