Where does zypper install the repository or package signing keys?

I’ve two almost identical virtual machines, snip and snap.

While updating them today, one asked to confirm a new repository or package signing key, the other didn’t.

I want to make really sure I didn’t do anything wrong (just in case one of them got compromised in one way or the other), especially since the system not asking for the key indicates all repositories are up to date.

So:

  1. Where does zypper install these keys?
  2. How can I list the installed keys?
  3. How can I verify these keys are indeed valid?

System asking to trust the key:

**snap:/home/jeroenp #** zypper repos -d#  | Alias                     | Name                               | Enabled | Refresh | Priority | Type   | URI                                                                                             | Service
---+---------------------------+------------------------------------+---------+---------+----------+--------+-------------------------------------------------------------------------------------------------+--------
 1 | Security_-_openSUSE_12.3  | Security - openSUSE 12.3           | Yes     | Yes     |   99     | rpm-md | http://download.opensuse.org/repositories/security/openSUSE_12.3/                               |        
 2 | openSUSE-12.3-1.6         | openSUSE-12.3-1.6                  | Yes     | No      |   99     | yast2  | cd:///?devices=/dev/disk/by-id/ata-VMware_Virtual_IDE_CDROM_Drive_10000000000000000001,/dev/sr0 |        
 3 | repo-debug                | openSUSE-12.3-Debug                | No      | Yes     |   99     | NONE   | http://download.opensuse.org/debug/distribution/12.3/repo/oss/                                  |        
 4 | repo-debug-update         | openSUSE-12.3-Update-Debug         | No      | Yes     |   99     | NONE   | http://download.opensuse.org/debug/update/12.3/                                                 |        
 5 | repo-debug-update-non-oss | openSUSE-12.3-Update-Debug-Non-Oss | No      | Yes     |   99     | NONE   | http://download.opensuse.org/debug/update/12.3-non-oss/                                         |        
 6 | repo-non-oss              | openSUSE-12.3-Non-Oss              | Yes     | Yes     |   99     | yast2  | http://download.opensuse.org/distribution/12.3/repo/non-oss/                                    |        
 7 | repo-oss                  | openSUSE-12.3-Oss                  | Yes     | Yes     |   99     | yast2  | http://download.opensuse.org/distribution/12.3/repo/oss/                                        |        
 8 | repo-source               | openSUSE-12.3-Source               | No      | Yes     |   99     | NONE   | http://download.opensuse.org/source/distribution/12.3/repo/oss/                                 |        
 9 | repo-update               | openSUSE-12.3-Update               | Yes     | Yes     |   99     | rpm-md | http://download.opensuse.org/update/12.3/                                                       |        
10 | repo-update-non-oss       | openSUSE-12.3-Update-Non-Oss       | Yes     | Yes     |   99     | rpm-md | http://download.opensuse.org/update/12.3-non-oss/                                               |        
**snap:/home/jeroenp #** zypper update
Retrieving repository 'Security - openSUSE 12.3' metadata ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------\]


New repository or package signing key received:
Key ID: 69D1B2AAEE3D166A
Key Name: security OBS Project <security@build.opensuse.org>
Key Fingerprint: AAF3EB044C49C402A9E7B9AE69D1B2AAEE3D166A
Key Created: Mon May 26 11:04:43 2014
Key Expires: Wed Aug  3 11:04:42 2016
Repository: Security - openSUSE 12.3


Do you want to reject the key, trust temporarily, or trust always? [r/t/a/? shows all options] (r): ^C**snap:/home/jeroenp #** ^C
**snap:/home/jeroenp #** 

System not asking to trust the key:

**snip:/home/jeroenp #** zypper repos -d#  | Alias                     | Name                               | Enabled | Refresh | Priority | Type   | URI                                                                                             | Service
---+---------------------------+------------------------------------+---------+---------+----------+--------+-------------------------------------------------------------------------------------------------+--------
 1 | Security_-_openSUSE_12.3  | Security - openSUSE 12.3           | Yes     | Yes     |   99     | rpm-md | http://download.opensuse.org/repositories/security/openSUSE_12.3/                               |        
 2 | openSUSE-12.3-1.6         | openSUSE-12.3-1.6                  | Yes     | No      |   99     | yast2  | cd:///?devices=/dev/disk/by-id/ata-VMware_Virtual_IDE_CDROM_Drive_10000000000000000001,/dev/sr0 |        
 3 | repo-debug                | openSUSE-12.3-Debug                | No      | Yes     |   99     | NONE   | http://download.opensuse.org/debug/distribution/12.3/repo/oss/                                  |        
 4 | repo-debug-update         | openSUSE-12.3-Update-Debug         | No      | Yes     |   99     | NONE   | http://download.opensuse.org/debug/update/12.3/                                                 |        
 5 | repo-debug-update-non-oss | openSUSE-12.3-Update-Debug-Non-Oss | No      | Yes     |   99     | NONE   | http://download.opensuse.org/debug/update/12.3-non-oss/                                         |        
 6 | repo-non-oss              | openSUSE-12.3-Non-Oss              | Yes     | Yes     |   99     | yast2  | http://download.opensuse.org/distribution/12.3/repo/non-oss/                                    |        
 7 | repo-oss                  | openSUSE-12.3-Oss                  | Yes     | Yes     |   99     | yast2  | http://download.opensuse.org/distribution/12.3/repo/oss/                                        |        
 8 | repo-source               | openSUSE-12.3-Source               | No      | Yes     |   99     | NONE   | http://download.opensuse.org/source/distribution/12.3/repo/oss/                                 |        
 9 | repo-update               | openSUSE-12.3-Update               | Yes     | Yes     |   99     | rpm-md | http://download.opensuse.org/update/12.3/                                                       |        
10 | repo-update-non-oss       | openSUSE-12.3-Update-Non-Oss       | Yes     | Yes     |   99     | rpm-md | http://download.opensuse.org/update/12.3-non-oss/                                               |        
**snip:/home/jeroenp #** zypper update
Loading repository data...
Reading installed packages...


The following package update will NOT be installed:
  libudev0 


Nothing to do.
**snip:/home/jeroenp #** **snip:/home/jeroenp #** zypper refreshRepository 'Security - openSUSE 12.3' is up to date.
Repository 'openSUSE-12.3-1.6' is up to date.
Repository 'openSUSE-12.3-Non-Oss' is up to date.
Repository 'openSUSE-12.3-Oss' is up to date.
Repository 'openSUSE-12.3-Update' is up to date.
Repository 'openSUSE-12.3-Update-Non-Oss' is up to date.
All repositories have been refreshed.

**snip:/home/jeroenp #** 

On 2014-05-31 12:36, jpluimers wrote:
> - Where does zypper install these keys?
> - How can I list the installed keys?
> - How can I verify these keys are indeed valid?

Good question.

The only zypper commands available related to keys are these two:


--no-gpg-checks         Ignore GPG check failures and continue.
--gpg-auto-import-keys  Automatically trust and import new repository
signing keys.

And there is nothing in the configuration directory “/etc/zypp/” related
to “key”, “pgp” or “gpg”.

But I found something. Under “/var/cache/zypp/raw/REPO_ALIAS/repodata”
there are some files related to the keys: repomd.xml.asc, repomd.xml.key
(and they are not xml at all).

So I guess that removing those two would force for the question to be
asked again.


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

Thanks.

I did some more research. The files are these:

  • repomd.xml
    signed repository file (this is XML) - repomd.xml.asc
    ASCII “armor” signature of repomd.xml - repomd.xml.key
    ASCII public key used to create the signature

My directory /var/cache/zypp/raw/Security_-_openSUSE_12.3/repodata is actually a cache for the files at this URL: http://download.opensuse.org/repositories/security/openSUSE_12.3/repodata/

So I wrote this little gist script: Test if a zypper repository cache directory is OK. On openSuSE, you can test it with `for d in /var/cache/zypp/raw/*/repodata; do ~/repomd_test.sh $d; done` · GitHub

It is based on this entry by Tojaj: "Bad GPG signature" when attempting to update repo with gpgcheck=1 and no listed key · Issue #16 · rpm-software-management/librepo · GitHub

If you copy my script to ~/repomd_test.sh, then you can call it like this:

for d in /var/cache/zypp/raw/*/repodata; do ~/repomd_test.sh $d; done

It will show you the keys and fingerprints, then test if the repomd.xm file matches the signature.

Back to my original question: what apparently happened is that when running yast to search for a package, I must have hit enter on one of the machines thereby loading that key into the zypper cache.

On 2014-05-31 18:46, jpluimers wrote:

> It will show you the keys and fingerprints, then test if the -repomd.xm-
> file matches the signature.

Interesting :slight_smile:


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)