Zypper and GPG Keys hell (one more time)

OK, this starts getting really, really, really annoying.
Every time I add a non openSUSE repository, the GPG keys are not recognized by zypper or the KDE Software updates applet.
Let’s take the latest example.

I want to add the repository: https://download.opensuse.org/repositories/home:/maxrd2/openSUSE_Leap_15.2/
Which, of course, has a GPG Key here: https://download.opensuse.org/repositories/home:/maxrd2/openSUSE_Leap_15.2/repodata/repomd.xml.key

And:


wget https://download.opensuse.org/repositories/home:/maxrd2/openSUSE_Leap_15.2/repodata/repomd.xml.key
rpmkeys --import ./repomd.xml.key.1 
echo $?
0

However, when I run zypper, I get this:


zypper clean 
All repositories have been cleaned up.


zypper ref -f
Forcing raw metadata refresh
Retrieving repository 'Main Repository (NON-OSS)' metadata ...................................................................................................................................[done]
Forcing building of repository cache
Building repository 'Main Repository (NON-OSS)' cache ........................................................................................................................................[done]
Forcing raw metadata refresh
Retrieving repository 'Update Repository (Non-Oss)' metadata .................................................................................................................................[done]
Forcing building of repository cache
Building repository 'Update Repository (Non-Oss)' cache ......................................................................................................................................[done]
Forcing raw metadata refresh
Retrieving repository 'Main Repository (OSS)' metadata .......................................................................................................................................[done]
Forcing building of repository cache
Building repository 'Main Repository (OSS)' cache ............................................................................................................................................[done]
Forcing raw metadata refresh
Retrieving repository 'Main Update Repository' metadata ......................................................................................................................................[done]
Forcing building of repository cache
Building repository 'Main Update Repository' cache ...........................................................................................................................................[done]
Forcing raw metadata refresh
Retrieving repository 'Subtitle Composer (openSUSE_Leap_15.2)' metadata -------------------------------------------------------------------------------------------------------------------------\]

New repository or package signing key received:

  Repository:       Subtitle Composer (openSUSE_Leap_15.2)
  Key Name:         home:maxrd2 OBS Project <home:maxrd2@build.opensuse.org>
  Key Fingerprint:  DE85E73C 17AF00C8 E865B04F 0073ABF0 73738FA0
  Key Created:      Wed Nov 25 07:33:00 2020
  Key Expires:      Fri Feb  3 07:32:59 2023
  Rpm Name:         gpg-pubkey-73738fa0-5fbdec8c


Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r):


And of course I accept the key, which solves the problem in the CLI but not for the Software Update applet which still asks for the GPG Keys!

So, the questions are very simple:

  1. Why the GPG Key is not searched in the DB? To me, it looks like zypper is not using the rpm DB for the GPG keys, but it’s own!
  2. Why the GPG Key is not trusted when I execute zypper ref -f ? Again, it looks like zypper uses another DB to store information about repositories and their GPG keys instead of the rpm db!
  3. Why the Software Updates applet ignores both zypper settings and rpm DB?

Just an Update:

From Yast the GPG Keys are listed and they are the correct ones…

It is probably not what you want to hear, but I would say: remove PackageKit and thus disarm (or even remove) the Applet.
My very personal solution, but I am certainly not the only one that keeps to openSUSE’s native software management tools zypper and YaST > Software Management.

I agree with hcvv:

Remove PackageKit and **plasma5-pk-updates.

**Although PackageKit might be a valid option to work with your rpm-packages in my experience it only causes problems when used alternately with Yast and zypper.

Regards

susejunky

I cannot reproduce it. After importing key “zypper refresh” does not ask for it.

What is output of “ls -l /var/lib/rpm”?

Maybe try running:

pkcon refresh

in a terminal (“konsole” for example). Perhaps the update applet is just showing cached error information and has to be forced to do a new refresh.

Personally, I don’t use the update applet on my normal desktop, but it is working fine in a virtual machine.

Nothing solved the issue.
So, for now I just create a system cronjob to do the update for me.
And I will see how I will manage the requirement for system reboots.

Generally speaking, although I like zypper, I strongly believe it’s GPG management is broken. DNF/YUM created exactly zero problems to me the last 5 years with a very similar set of repositories between the 2 PCs…

It’s extremely rare that I encounter this or related repo issues. It’s also extremely rare that I use zypper ar when I want to add a repo, and I don’t use YaST2 either, or any update applet. Instead, e.g.:

Ctrl-Alt-F3
<login root>
# cd /etc/zypp/repos.d/
# https://download.opensuse.org/repositories/home:/maxrd2/openSUSE_Leap_15.2/home:maxrd2.repo
# zypper ref
# zypper -v in...

Virtually always, all is good this way.