The file has been changed, either by accident or by an attacker,
since the repository creator signed it. Using it is a big risk
for the integrity and security of your system.
The title of the thread is the important bit…
Basically any application that interfaces with zypper on some level is reporting the repository signature verification is failing.
Signature check seems to work. Maybe you were unlucky to catch the moment repository was being updated.
bor@bor-Latitude-E5450:~/tmp$ LC_ALL=C gpg --no-default-keyring --home /tmp/kr ./repomd.xml.asc
gpg: WARNING: unsafe permissions on homedir '/tmp/kr'
gpg: WARNING: no command supplied. Trying to guess what you mean ...
gpg: assuming signed data in './repomd.xml'
gpg: Signature made Wed Jul 21 01:42:04 2021 MSK
gpg: using DSA key F5113243C66B6EAE
gpg: Good signature from "NVIDIA Corporation <linux-bugs@nvidia.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9B76 3D49 D8A5 C892 FC17 8BAC F511 3243 C66B 6EAE
bor@bor-Latitude-E5450:~/tmp$
gpg: Good signature from “NVIDIA Corporation <linux-bugs@nvidia.com>” [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
It checks for the key, but it’s invalid.
From zypper
zypper up
Retrieving repository ‘NVIDIA’ metadata -------------------------------------------------------------------------------------------]
Signature verification failed for file ‘repomd.xml’ from repository ‘NVIDIA’.
Note: Signing data enables the recipient to verify that no modifications occurred after the data
were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
and in extreme cases even to a system compromise.
Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
whole repo.
Warning: This file was modified after it has been signed. This may have been a malicious change,
so it might not be trustworthy anymore! You should not continue unless you know it's safe.
Signature verification failed for file ‘repomd.xml’ from repository ‘NVIDIA’. Continue? [yes/no] (no):
I thought I would share my findings on this matter as I received an email back from nVidia support on this issue.
It has since been resolved.
"The key has not changed recently, and if you previously had the GPG key
accepted on your system, then the same key should still be able to
verify the signatures of the current repository contents. What is
probably happening here is that the repository metadata and/or contents
are in an inconsistent state. Occasionally, when we publish updates to
the repositories, a subset of the files will fail to get updated on the
CDN, which then leaves the repositories in an unusable state.
We have a process to verify the consistency of the repositories after an
update, so that we can correct any issues as the occur; however, it
appears that more recently it has become possible for the contents to be
inconsistently updated on some of the CDN edge servers, but not others,
thereby unevenly affecting users who happen to fetch the repositories
from lucky/unlucky servers.
I am asking the relevant folks on the NVIDIA end to investigate this new
failure mode; in the meantime, I have re-submitted the most recent
repository update in the hopes that it will set things right on any CDN
nodes that are currently in a broken state."
Bottom line is do not blindly accept key variations when challenged.
Supply chain hacks are a thing now.
Please try to provide complete information to your potential helpers.