Signature verification for repo nightmares

The under subject issue drives me nuts for more than 2 years now and with different repositories.
It started with Chrome, now it’s with repos from build service as well.

All in all. In KDE’s “Software Updates” applet, I see " Signature verification for repo …" for some of my configured repositories.
In the CLI, everything is OK. The GPG keys of the repositories where imported with

rpm --import <gpg_key>

From the CLI, there are no complains about GPG Keys. However, in the “Software Updates”, I do see this.

zypper ref

Repository 'Main Repository (NON-OSS)' is up to date.                                                                                                                                              
Repository 'Update Repository (Non-Oss)' is up to date.                                                                                                                                            
Repository 'Main Repository (OSS)' is up to date.                                                                                                                                                  
Repository 'Main Update Repository' is up to date.                                                                                                                                                 
Repository 'Packman Repository' is up to date.                                                                                                                                                     
Repository 'openSUSE-Leap-15.2-Update' is up to date.                                                                                                                                              
Repository 'Various software for easier management of multiple systems (openSUSE_Leap_15.2)' is up to date.                                                                                        
All repositories have been refreshed.

(The repository with the issue with the last one)

zypper lr
Repository priorities are without effect. All enabled repositories share the same priority.

#  | Alias                           | Name                                                                            | Enabled | GPG Check | Refresh
 1 | MKVToolNix                      | MKVToolNix                                                                      | No      | ----      | ----
 2 | Subpixel_-_bran0k               | Subpixel - GLDickens                                                            | No      | ----      | ----
 3 | Subpixel_-_namtrac              | Subpixel - namtrac                                                              | No      | ----      | ----
 4 |   | Main Repository (NON-OSS)                                                       | Yes     | (r ) Yes  | Yes
 5 | | Update Repository (Non-Oss)                                                     | Yes     | (r ) Yes  | Yes
 6 |       | Main Repository (OSS)                                                           | Yes     | (r ) Yes  | Yes
 7 |     | Main Update Repository                                                          | Yes     | (r ) Yes  | Yes
 8 | google-chrome                   | google-chrome                                                                   | No      | ----      | ----
 9 | mozilla                         | Mozilla based projects (openSUSE_Leap_15.2)                                     | No      | ----      | ----
10 |       | Libdvdcss Repository                                                            | No      | ----      | ----
11 |           | Packman Repository                                                              | Yes     | (r ) Yes  | Yes
12 | repo-debug                      | openSUSE-Leap-15.2-Debug                                                        | No      | ----      | ----
13 | repo-debug-non-oss              | openSUSE-Leap-15.2-Debug-Non-Oss                                                | No      | ----      | ----
14 | repo-debug-update               | openSUSE-Leap-15.2-Update-Debug                                                 | No      | ----      | ----
15 | repo-debug-update-non-oss       | openSUSE-Leap-15.2-Update-Debug-Non-Oss                                         | No      | ----      | ----
16 | repo-source                     | openSUSE-Leap-15.2-Source                                                       | No      | ----      | ----
17 | repo-update                     | openSUSE-Leap-15.2-Update                                                       | Yes     | (r ) Yes  | Yes
18 | skype-stable                    | skype (stable)                                                                  | No      | ----      | ----
19 | systemsmanagement               | Various software for easier management of multiple systems (openSUSE_Leap_15.2) | Yes     | (r ) Yes  | No

I have disabled the repo, disabled the applet, logged out and then login again, enable the repository, enable the applet. Still the same issue.

From Yast, I can see that the GPG key for the repo is the correct one, it’s not expired etc.

OK, can I fix this mess?

What Repo?
Better is to post

zypper lr-d

to see the URL of the Repos.

The last one is not refreshed…
And such a long name with many spaces…

19 | systemsmanagement               | Various software for easier management of multiple systems (openSUSE_Leap_15.2) | Yes     | (r ) Yes  | No      |   99     | rpm-md | |

Of course is not refresh, I am tired of getting failure notifications every 5-10’ !!!

Do you try it with a shorter name?


zypper clean -a

will help?

Yes. I tried all the known tricks. Still, it’s not working. I am suspecting something is cached but I don’t know if this is in zypper or the applet.

Delete the Certificate and then, refresh the Repository to reload the Certificate.

Don’t use the rpm method you describe or any other usual way repositories are installed and managed on other distros… Those more ordinary methods work only when things are done accurately and any little mistake will cause problems like what you describe, hard to troubleshoot.

Instead, use zypper commands exclusively.
You’ll find that you can add a repository from the command line easily, and “auto accept” the GPG key without touching the repository configuration files directly.

I summarized the commands you need in the following Wiki page on building scripts for repository and package management, of course you don’t have to run the commands in a script, you can run the commands manually and individually. There are additional commands if you need in the zypper --help and MAN pages, but what you see in the Wiki page should be sufficient to set up your Chrome repository properly. Be aware that the Chrome browser has an idiosyncrasy, besides the repo GPG key, installing Chrome will prompt for another GPG key for a dependency which can be ignored and accepted, but that won’t show up whenever you refresh the repo.


What about an mirror:

Maybe is linking to an out-of-sync server?

Hi Tsu,
Well, I use zypper always. Besides, I want to use the distro’s package manager, not yum.
In any case, what I was doing was:

  1. Add the repo
  2. Run zypper ref & accept the GPG Key (always)

In any case, I followed your commands.
Still the same thing. zypper ref is OK, no GPG Key issues, KDE Software Updates fails…

Are you certain that, with YaST, you deleted the GPG key for the systemsmanagement repository and then, again with YaST refreshed that repository and, accepted the new key?