Where are foreign RPM repository GPG keys stored?


When I add a non-openSUSE RPM repo, zypper throws an error about an invalid key, and it gives me the option to ignore it. I want to include that GPG file and include the preference for that warning to not be displayed again on other openSUSE systems that I pre-install. But I can’t figure out where that key and “don’t warn me about this in the future” are being stored. There’s a bunch of stuff in /var/cache/zypp , but I tried deleting that entire directory and it still remembers the foreign repo key and doesn’t ask me to ignore or abort. So the preference is stored elsewhere. Any ideas?

Thanks a lot!

EDIT: I also read this, but made no sense of it:

You need to import key using “rpmkeys --import”; see man rpmkeys. Keys are stored in RPM database as pseudo-package with name gpg-pubkey***.

Oh … and if this repo is in format that provides public key information, zypper should offer you to “always trust” it when you add this repo - effectively, it then imports key for you.

Thanks a lot arvidjaar. Specifically, the Google Talk plugin is what was giving me the errors, but I finally found the key:

Here in openSUSE,
You don’t have to know where keys are stored or manually enter the keys for authentication.

You can simply automatically accept the keys when they are prompted,
I describe this command at
You only need to run the following command when you refresh your repos

zypper --gpg-auto-import-keys ref


The problem is that for the Google Talk/Hangouts repo, (http://dl.google.com/linux/talkplugin/rpm/stable/x86_64), zypper/YaST throws an ugly error about an unknown key, and later before actually installing the package it throws another error about a broken package. This isn’t the normal “Trust” option that you get when adding a new openSUSE / OBS repo.

But it is from Google and they seem to be always messed up.

Very likely it is a Google oddity. But it only bugs me once, subsequent updates don’t give any trouble. It’s just that I’d like to prevent this scary error for my users that choose to install Google Talk / Hangouts on their own systems.

If the certs are faulty, and it appears that they are… First there is a problem with the repo keys, then it looks like the rpm checks for signed code but the certs aren’t available…

If you want to avoid these problems,

Install the repo, setting the repo gpg check to “no” as follows

zypper ar --no-gpgcheck http://dl.google.com/linux/talkplugin/rpm/stable/x86_64 Google_Talk_plugin

After that, you can install the plugin non-interactively as follows

 zypper in -y google-talkplugin


Ah, very good idea. I didn’t think about that. Thanks!