zypper ignoring the "--allow-unsigned-rpm" option

jimoe666 · July 5, 2019, 10:18pm

I have a couple of programs that are distributed cryptographically unsigned. I use a script to install updates; it is run once a week. To update the unsigned packages I added the “–allow-unsigned-rpm” option. It is ignored by zypper. The “install” command is used instead of “update” since update does not have the unsigned option.

Where have I gone astray?

$ zypper help install
install (in) [OPTIONS] <CAPABILITY|RPM_FILE_URI> ...
    --allow-unsigned-rpm    Silently install unsigned rpm packages given as commandline parameters.
                            Default: false

zypper --non-interactive --ignore-unknown --no-cd install --auto-agree-with-licenses --allow-unsigned-rpm jalbum

yields

1 package to upgrade.
Overall download size: 99.5 MiB. Already cached: 0 B. After the operation, additional 16.8 MiB will be used.
Continue? [y/n/v/...? shows all options] (y): y
Retrieving package jalbum-18.3-1.x86_64 (1/1),  99.5 MiB (233.8 MiB unpacked)
Retrieving: jalbum-18.3-1.x86_64.rpm ......done (569.7 KiB/s)]
jalbum-18.3-1.x86_64.rpm:
    Package is not signed!

jalbum-18.3-1.x86_64 (jalbum): Signature verification failed [6-File is unsigned]
Abort, retry, ignore? [a/r/i] (a): a
Problem occurred during or after installation or removal of packages:
Installation has been aborted as directed.
Please see the above error message for a hint.

knurpht · July 5, 2019, 10:37pm

Choose 'i" for ignore. No other way you can install this package. I wouldn’t, but it’s your system.

jimoe666 · July 5, 2019, 10:46pm

The command in a script, hence the “–non-interactive” option.
AIUI using the “–allow-unsigned-rpm” option should prevent this:

jalbum-18.3-1.x86_64 (jalbum): Signature verification failed [6-File is unsigned]
Abort, retry, ignore? [a/r/i] (a): a

Or should insert “i” instead of “a”?

hcvv · July 5, 2019, 10:47pm

There is no zypper command there, I assume you forgot the install.

This is why we ask to copy/paste complete from your terminal: prompt and command line, lines of output and new prompt line. No changes, no shortcuts. Only so will people trust that they see exactly what you saw.

jimoe666 · July 5, 2019, 11:08pm

The install command there

zypper --non-interactive --ignore-unknown --no-cd **install** --auto-agree-with-licenses --allow-unsigned-rpm jalbum

jimoe666 · July 6, 2019, 1:00am

An alternate method for achieving the update of unsigned packages is to modify the repo.

zypper modifyrepo --gpgcheck-allow-unsigned-package <repo-name>

Since, in this case, there is only one package distributed by the repo, the risk seems minimal.

arvidjaar · July 6, 2019, 7:10am

This option applies to RPM package files that are installed directly. There is no option to override configured repository behavior during installation of individual package from it, you can only disable GPG check globally for the whole repository.

hcvv · July 6, 2019, 9:27am

Sorry, see it now. It is rather hidden between the general and the command specific options, but nevertheless, i should have seen it.

tsu2 · July 6, 2019, 9:25pm

zyppper in --allow-unsigned-rpm *package_name*

That’s an interesting option that seems to be rather new, it’s not mentioned in any older versions of zypper.
Maybe it’s buggy.

On the other hand, it’s my impression that normally when an unsigned package is encountered(or any other minor defect) the User is prompted to confirm installation and the default is to accept.
If that’s the case, then the option to automatically accept should work which has always existed

zypper -n in -y *package_name*

TSU