Running YaST Software Management today gave me this message in a dialog box:
**Unsigned File**
The file repomd.xml from repository nVidia Graphics Drivers http://download.nvidia.com/opensuse/13.2/ is not digitally signed. The origin and integrity of the file cannot be verified. Using the file anyway puts the integrity of your system at risk.
Use it anyway?
Yes / No
So far I have been running updates without problems (yesterday too).
Any idea what might that be? Should I blindly click “Yes”?
AFAIK, in the case of the nvidia repo, everything (creating the packages, uploading them, recreating the repo data and signing the repo) is done manually. So this takes time, and the repo might be unuseable during that time.
Removing the widget won’t change anything.
You have to disable the “Apper monitor” service in “Configure Desktop”->“Startup and Shutdown”->“Services Manager”.
Or black list NVIDIA driver in Yast
This won’t help either.
It’s the repo metadata that’s the problem, not the driver packages.
Or could disable the NVIDIA repo until thing get straightened out
That’s an option, yes.
Btw, in another thread, a poster stated that the problem is gone for him already, hours ago.
So if you still see this problem, try to clean the zypper cache to force a complete refresh, maybe it helps.
nvidia-gfxG04-kmp-desktop-352.30_k3.16.6_2-15.1.x86_64(nVidia Graphics Drivers): Signature verification failed [4-Signatures public key is not available]
Abort, retry, ignore? [a/r/i] (a): a
This is with opensuse 13.2. When I checked yesterday with 13.1, there were no problems. But 13.2 (just doing “zypper lu”) reports the problem both yesterday and today. It defaults to igoring that repo, and “zypper lu” tells me that there are no updates. But if there were updates, I think I would need to disable the nvidia repo in order to do a clean update.
My last check was around 3 minutes before posting this.
I just tried “zypper lu” again. And it told me that “repomd.xml” is not signed.
Maybe when you delete the repo and add it back, it is added back without a repo pgp key and then does not care if the metadata is signed. Or maybe we are being redirected to different mirrors.
Maybe when you delete the repo and add it back, it is added back without a repo pgp key and then does not care if the metadata is signed.
I had never added it before on this system. So zypper had to retrieve the metadata and the key freshly.
Or maybe we are being redirected to different mirrors.
No idea whether there are different mirrors for the nvidia repo.
Maybe deleting /var/cache/zypp/ might help?
There is a way to disable the signature check if you want to do that, have a look at the options “gpgcheck”, “repo_gpgcheck”, and “pkg_gpgcheck” in /etc/zypp/zypp.conf.
(and no, I did not turn it off here…)
Using 13.2 I had the Kernel update a few days ago, and as far as I can tell the G03 driver was updated too, I received no warnings or errors.
After reading this thread I went to yast to check if everything is fine with the nvidia repo and my installed driver, and as far as I can tell I have the latest driver and there are no issues with the repo.
I’m thinking maybe this is a mirror issue, but weren’t the nvidia rpm’s hosted by nvidia at ftp://download.nvidia.com/opensuse/
On 2015-08-23 21:26, wolfi323 wrote:
>
> PS: You might also try to uninstall the repo’s GPG key. Maybe the one
> you have installed is wrong/broken?
>
> Code:
> --------------------
> sudo rpm -e gpg-pubkey-6f88bb2f-4fe5b9a8
> --------------------
I have a doubt here. I’m not sure if rpm uses root’s GPG store, or its
own. I think the later.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
RPM stores GPG keys for verifying package signatures in its database.
You can import them with “rpm --import xxx”, and you can remove them with “rpm -e xxx” as written.
See “man rpmkeys”.
Anyway, I made a mistake there. That key is actually from some KDE repo on OBS. The nvidia repo doesn’t store one in the RPM database it seems.
That’s why I deleted that post…