zypper claiming "nokey" on numerous package updates??

English Applications
1

So, in running zypper a few days back where I had the “pipewire” problem, today another 184 packages to upgrade . . . running zypper a GUI window opens asking me to “trust the key”??? Which I did, assuming that since there was a ten day period where I wasn’t using the computer that the “key” got “out of date”???

But, then watching the screen I noticed quite a few of the installing packages had “blue font” data under each line item, including the word “NOKEY”???

(171/183) Installing: vlc-3.0.16-4.29.x86_64 .............................[done]
Additional rpm output:
warning: /var/cache/zypp/packages/packman.inode.at-openSUSE_Tumbleweed/Essentials/x86_64/vlc-3.0.16-4.29.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 1abd1afb: NOKEY

Is one example out of what might have been several hundred??

I launched Yast and went to Software Repos and clicked on “GPG keys” and checked each of the items, all listed dates in 2024 for expiration, only one of them expires next month on 12/10 . . . ???

Would this be related to the recent time change we have here in the good ole US of A??

2

I don’t know what causes this. I have been seeing the same thing.

I opened Yast → Software Repositories
and clicked on “GPG keys”.

Then I deleted the packman key. After that I closed the Software Repositories application.

Next, at the root command line, I did:

zypper refresh -f packman

If you try that, you will need to change that “packman” to the name you are using for that repo.

This prompted me to accept the key for packman. And I have not had any NOKEY messages since then.

I’m a little puzzled. When I again look at the GPG keys, it seems to be the same packman key as before. But there must have been some subtle change.

As far as I know, “zypper” is successfully checking the signature on the repo metadata that it downloads. But “rpm” was failing to successfully check the signature on individual rpm files.

3

@nrickert:

Thanks for the details . . . I’ll check into that approach . . . . Seems like this is somewhat of a “new” problem in TW?? I sometimes see this “trust this key?” in one of my older Gecko installs . . . tried fiddling with that awhile back, failed in the mission on it.

I’ll see what’s up with “packman” in the repos . . . seems to take more time getting thru the upgrading process with these “NOKEY” errors???

4

The procedure described by nrickert worked for me.

I found this as being the probable cause: https://github.com/rpm-software-management/rpm/commit/f22499a05d0a01e35dd10d7644f8d74391ba4222

5

@awerlang:

Thanks for the follow-up on it . . . running out of time for checking into it today.

But after I ran those “nokey” upgrades I didn’t see any kernel upgrades, so I just logged out when I took a break, didn’t restart . . . when I logged back in GUI desktop opened OK, clicked on main menu, that opened . . . >internet opened OK, but clicking on >firefox . . . and desktop “froze” . . . mouse worked, but nothing responded to clicks . . . .

Used the power button to shut down . . . on cold boot seemed like dmesg took a little longer but everything is again functioning . . . .

6

I guess my system was using “packman repository” . . . because “packman” didn’t work out, but then “refresh” didn’t seem to either???



 


  - Name: PackMan Project (signing key) <packman@links2linux.de>

Was what showed in Yast for the key code . . . ran your commands, got:

# zypper refresh -f packman
Repository 'packman' not found by its alias, number, or URI.
Use 'zypper repos' to get the list of defined repositories.
Some of the repositories have not been refreshed because they were not known.


linux-f6nl:/home/ # zypper repos
Repository priorities are without effect. All enabled repositories share the same priority.

# | Alias                                | Name                       | Enabled | GPG Check | Refresh
--+--------------------------------------+----------------------------+---------+-----------+--------
1 | download.opensuse.org-non-oss        | Main Repository (NON-OSS)  | Yes     | (r ) Yes  | Yes
2 | download.opensuse.org-oss            | Main Repository (OSS)      | Yes     | (r ) Yes  | Yes
3 | download.opensuse.org-tumbleweed     | Main Update Repository     | Yes     | (r ) Yes  | Yes
4 | libdvdcss                            | libdvdcss                  | Yes     | (r ) Yes  | Yes
5 | openSUSE-20191204-0                  | openSUSE-20191204-0        | No      | ----      | ----
6 | packman.inode.at-openSUSE_Tumbleweed | Packman Repository         | Yes     | (r ) Yes  | Yes
7 | repo-debug                           | openSUSE-Tumbleweed-Debug  | No      | ----      | ----
8 | repo-source                          | openSUSE-Tumbleweed-Source | No      | ----      | ----


linux-f6nl:/home/ # zypper refresh -f packman repository
Repository 'packman' not found by its alias, number, or URI.
Repository 'repository' not found by its alias, number, or URI.
Use 'zypper repos' to get the list of defined repositories.
Some of the repositories have not been refreshed because they were not known.


linux-f6nl:/home/ # zypper ref
Repository 'Main Repository (NON-OSS)' is up to date.                           
Repository 'Main Repository (OSS)' is up to date.                               
Repository 'Main Update Repository' is up to date.                              
Repository 'libdvdcss' is up to date.                                           
Repository 'Packman Repository' is up to date.                                  
All repositories have been refreshed.

Checking back into Yast, as @nrickert mentioned the GPG key number was the same as it was before I deleted it . . . guess we’re back to where we were.

7

Works exactly as described. Annoying messages are gone!

8

Please check the URL of your Packman repository.

http://packman.inode.at/suse/openSUSE_Tumbleweed/

is - as far as i know - not working at the moment. Use

https://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Tumbleweed/

instead.

Regards

susejunky

9

@susejunky:

Glad I posted the data and thanks for looking at it . . . I know I changed one URL for a repo some months back. But, then I don’t recall an error message on the packman repo . . . like nothing like “not found” and so forth. I’m over in my SID system today, working through the issues that SID seems to come up with . . . . : - 0 Always something to do with the bleeding edge distros . . . .

10

@susejunky:

So, back in TW at the moment and indeed, running # zypper repos it still shows Packman using URL “inode”??? But in Yast Software Repositories it shows it as “Index of /pub/linux/misc/packman/suse/openSUSE_Tumbleweed/” . . . as I believe we all changed it some months back.

Somehow that data is not transmitting over to “the zypper”???

11

A repo has: a name, an alias and a url.

Looking back at post #6 in this thread, you have a repo with:

alias=“packman.inode.at-openSUSE_Tumbleweed”,
name=“Packman Repository”

but you did not show us the url. It is quite possible that the url is

https://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Tumbleweed/

And zypper actually uses that url, but the zypper messages that you see list the alias.

Yast software repositories should actually show name and url, but it does not show the alias.

If you use

zypper lr -d

that will show alias, name and url.

12

@nrickert:

Thanks for the post back on it.

6 | packman.inode.at-openSUSE_Tumbleweed | Packman Repository         | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | ftp://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Tumbleweed/                  |

OK, that seems to be showing the URL changes many of us made awhile back . . . .

13

Yes, that looks fine. You were just being confused by the naming (in this case, the alias).

14

:?:Olol! Everything was working w/o error . . . it just looked incorrect in the "zypper repos data . . . . But, seems like this “NOKEY” deal is showing up in a number of my OpenSUSE installs . . . project for the day(s) . . .

15

for Tumbleweed, as root:

 rpm -e gpg-pubkey-1abd1afb-54176598 && zypper cc --all && zypper ref && zypper dup

(for leap change the “zypper dup” to “zypper up”)

16

et al:

So this afternoon zypper showed “630 packages” to upgrade . . . I started the process and then went to do other stuff, a couple hours later I rebooted back into TW and checked my browser for “stuff” . . . and another upgrade notification for “28 packages” to upgrade showed up???

This time I was still sitting in front of the computer and again, each of the 28 package installs showed the “NOKEY” error data.

I ran @tannington’s suggested command and when given the option selected “accept always” on the “gpg-pubkey” update . . . . I’ll have to wait until the next 786 package upgrade comes down the tubes in a couple days . . . ??? :o:X:sarcastic:

17

Nope: https://forums.opensuse.org/showthread.php/562214-zypper-claiming-quot-nokey-quot-on-numerous-package-updates?p=3080732#post3080732 Messages are gone.

18

Well . . . they were in my case until yesterday’s last 28 package upgrade . . . . We’ll see how it goes with the tannington suggested command.

19

So, today I’m in a Gecko rolling flavor, and having already run through the @nrickert sugested commands that did seem to work in all of my SUSE installs, but, just as with the recent zyppering in homebrew TW . . . today showed “364 packages to upgrade” and later on in the installing process again the “NOKEY” issue showed up . . . ???

And, then, there were so many “dracut” lines in the after action report area that I couldn’t scroll out of them to try to copy/paste the “NOKEY” data.

I have now run the tannington command provided in post #15 in this install as well . . . I guess there will be a couple more OpenSUSE installs to get through to try to clean up this “NOKEY” problem . . . . :\

20

You did accept the new signing key during zypper refresh ?

Could you show the output from:

sudo cat /var/log/zypp/history | grep -iE 'nokey|no key'

and

rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}	%{SUMMARY}
'