OK, this starts getting really, really, really annoying.
Every time I add a non openSUSE repository, the GPG keys are not recognized by zypper or the KDE Software updates applet.
Let’s take the latest example.
I want to add the repository: https://download.opensuse.org/repositories/home:/maxrd2/openSUSE_Leap_15.2/
Which, of course, has a GPG Key here: https://download.opensuse.org/repositories/home:/maxrd2/openSUSE_Leap_15.2/repodata/repomd.xml.key
And:
wget https://download.opensuse.org/repositories/home:/maxrd2/openSUSE_Leap_15.2/repodata/repomd.xml.key
rpmkeys --import ./repomd.xml.key.1
echo $?
0
However, when I run zypper, I get this:
zypper clean
All repositories have been cleaned up.
zypper ref -f
Forcing raw metadata refresh
Retrieving repository 'Main Repository (NON-OSS)' metadata ...................................................................................................................................[done]
Forcing building of repository cache
Building repository 'Main Repository (NON-OSS)' cache ........................................................................................................................................[done]
Forcing raw metadata refresh
Retrieving repository 'Update Repository (Non-Oss)' metadata .................................................................................................................................[done]
Forcing building of repository cache
Building repository 'Update Repository (Non-Oss)' cache ......................................................................................................................................[done]
Forcing raw metadata refresh
Retrieving repository 'Main Repository (OSS)' metadata .......................................................................................................................................[done]
Forcing building of repository cache
Building repository 'Main Repository (OSS)' cache ............................................................................................................................................[done]
Forcing raw metadata refresh
Retrieving repository 'Main Update Repository' metadata ......................................................................................................................................[done]
Forcing building of repository cache
Building repository 'Main Update Repository' cache ...........................................................................................................................................[done]
Forcing raw metadata refresh
Retrieving repository 'Subtitle Composer (openSUSE_Leap_15.2)' metadata -------------------------------------------------------------------------------------------------------------------------\]
New repository or package signing key received:
Repository: Subtitle Composer (openSUSE_Leap_15.2)
Key Name: home:maxrd2 OBS Project <home:maxrd2@build.opensuse.org>
Key Fingerprint: DE85E73C 17AF00C8 E865B04F 0073ABF0 73738FA0
Key Created: Wed Nov 25 07:33:00 2020
Key Expires: Fri Feb 3 07:32:59 2023
Rpm Name: gpg-pubkey-73738fa0-5fbdec8c
Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r):
And of course I accept the key, which solves the problem in the CLI but not for the Software Update applet which still asks for the GPG Keys!
So, the questions are very simple:
- Why the GPG Key is not searched in the DB? To me, it looks like zypper is not using the rpm DB for the GPG keys, but it’s own!
- Why the GPG Key is not trusted when I execute zypper ref -f ? Again, it looks like zypper uses another DB to store information about repositories and their GPG keys instead of the rpm db!
- Why the Software Updates applet ignores both zypper settings and rpm DB?