zypper refresh not automatically importing repository signing key even with --gpg-auto-import-keys o

English Applications
#1

[Originally posted on https://github.com/openSUSE/zypper/issues/144]

OS Details
OS: openSUSE Leap 42.2 (using opensuse:42.2 docker image)
Zypper version: 1.13.32

bash-4.3# cat /etc/os-release 
NAME="openSUSE Leap"
VERSION="42.2"
ID=opensuse
ID_LIKE="suse"
VERSION_ID="42.2"
PRETTY_NAME="openSUSE Leap 42.2"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:leap:42.2"
BUG_REPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"

bash-4.3# zypper --version
zypper 1.13.32

Environment
I have configured a repo to be used with zypper. The following shows the content of the .repo file:


bash-4.3# cat /etc/zypp/repos.d/gitlab_gitlab-ee.repo 
[gitlab_gitlab-ee]
name=gitlab_gitlab-ee
baseurl=https://packages.gitlab.com/gitlab/gitlab-ee/opensuse/42.2/$basearch
repo_gpgcheck=1
pkg_gpgcheck=1
enabled=1
gpgkey=https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey
       https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey/gitlab-gitlab-ee-3D645A26AB9FBD22.pub.gpg
autorefresh=1
type=rpm-md

[gitlab_gitlab-ee-source]
name=gitlab_gitlab-ee-source
baseurl=https://packages.gitlab.com/gitlab/gitlab-ee/opensuse/42.2/SRPMS
repo_gpgcheck=1
pkg_gpgcheck=1
enabled=1
gpgkey=https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey
       https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey/gitlab-gitlab-ee-3D645A26AB9FBD22.pub.gpg
autorefresh=1
type=rpm-md

Problem
Even if I provide --gpg-auto-import-keys option to the refresh command, zypper warns about me unknown key. Theoretically, it should be simply importing and trusting the key, but that is not happening.


bash-4.3# zypper --gpg-auto-import-keys refresh gitlab_gitlab-ee
Retrieving repository 'gitlab_gitlab-ee' metadata ----------------------------------------------------------------------------------------------------------------------------|]
Warning: File 'repomd.xml' from repository 'gitlab_gitlab-ee' is signed with an unknown key '14219A96E15E78F4'.

    Note: Signing data enables the recipient to verify that no modifications occurred after the data
    were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
    and in extreme cases even to a system compromise.

    Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
    whole repo.

    Warning: We can't verify that no one meddled with this file, so it might not be trustworthy
    anymore! You should not continue unless you know it's safe.

File 'repomd.xml' from repository 'gitlab_gitlab-ee' is signed with an unknown key '14219A96E15E78F4'. Continue? [yes/no] (no):

I also tried the following to see if it fixed, with no luck.

  1. Run the command in non-interactive mode. Because the man page says
   --gpg-auto-import-keys
       If new repository signing key is found, do not ask what to do; trust and import it automatically. This
       option causes that the new key is imported also in non-interactive mode, where it would otherwise got
       rejected.
  1. Manually get the keys to my keychain using gpg --recv-keys and then trying zypper refresh

Any help would be appreciated as I fail to see why this happens. Thanks.

#2

Nothing wrong catches my eye although I’d suggest running your refresh command without specifying the repo name… The command without specifying the repo will automatically accept keys for all repos as needed, and removes a possible point of error (specifying the repo correctly).

So, as follows(see if the following works)

zypper --gpg-auto-import-keys ref

Also,
To make your provided info complete (and incidentally possibly confirming mis-identifying the repo), you should also post the command you used to add the repo and/or the installed repo as follows(I’m suggesting the general command to list all your repos on the chance that specifying the individual repo might be faulty)

zypper lr -d

TSU

#3

Hi tsu2,

Thanks for the reply. I manually added the repo by creating a file in /etc/zypp/repos.d and pasting the contents I gave above. The output of the command you suggested is



bash-4.3# zypper lr -d

Repository priorities are without effect. All enabled repositories share the same priority.

# | Alias                   | Name                    | Enabled | GPG Check | Refresh | Priority | Type   | URI                                                                    | Service
--+-------------------------+-------------------------+---------+-----------+---------+----------+--------+------------------------------------------------------------------------+--------
1 | NON OSS                 | NON OSS                 | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/distribution/leap/42.2/repo/non-oss/suse/ |        
2 | NON OSS Update          | NON OSS Update          | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/update/leap/42.2/non-oss/                 |        
3 | OSS                     | OSS                     | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/distribution/leap/42.2/repo/oss/suse/     |        
4 | OSS Update              | OSS Update              | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/update/leap/42.2/oss/                     |        
5 | gitlab_gitlab-ee        | gitlab_gitlab-ee        | Yes     | ( p) Yes  | Yes     |   99     | rpm-md | https://packages.gitlab.com/gitlab/gitlab-ee/opensuse/42.2/x86_64      |        
6 | gitlab_gitlab-ee-source | gitlab_gitlab-ee-source | Yes     | ( p) Yes  | Yes     |   99     | rpm-md | https://packages.gitlab.com/gitlab/gitlab-ee/opensuse/42.2/SRPMS       |

**One thing that caught my eye is the (p) Yes under GPGCheck column. What does that mean? Will that have any effect?
**
Also, trying refresh without specifying any repo name also didn’t work


bash-4.3# zypper --gpg-auto-import-keys ref
Repository 'NON OSS' is up to date.                                                                                                                                              
Repository 'NON OSS Update' is up to date.                                                                                                                                       
Repository 'OSS' is up to date.                                                                                                                                                  
Repository 'OSS Update' is up to date.                                                                                                                                           
Retrieving repository 'gitlab_gitlab-ee' metadata ----------------------------------------------------------------------------------------------------------------------------|]
Warning: File 'repomd.xml' from repository 'gitlab_gitlab-ee' is signed with an unknown key '14219A96E15E78F4'.

    Note: Signing data enables the recipient to verify that no modifications occurred after the data
    were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
    and in extreme cases even to a system compromise.

    Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
    whole repo.

    Warning: We can't verify that no one meddled with this file, so it might not be trustworthy
    anymore! You should not continue unless you know it's safe.

File 'repomd.xml' from repository 'gitlab_gitlab-ee' is signed with an unknown key '14219A96E15E78F4'. Continue? [yes/no] (no):
#4

On Sat 16 Dec 2017 03:36:01 PM CST, balasankarc wrote:

Hi tsu2,

tsu2;2848193 Wrote:
> Nothing wrong catches my eye although I’d suggest running your refresh
> command without specifying the repo name… The command without
> specifying the repo will automatically accept keys for all repos as
> needed, and removes a possible point of error (specifying the repo
> correctly).
>
> So, as follows(see if the following works)
> >
Code:

> > zypper --gpg-auto-import-keys ref

> >
>
> Also,
> To make your provided info complete (and incidentally possibly
> confirming mis-identifying the repo), you should also post the command
> you used to add the repo and/or the installed repo as follows(I’m
> suggesting the general command to list all your repos on the chance
> that specifying the individual repo might be faulty)
> >
Code:

> > zypper lr -d

> >
>
> TSU

Thanks for the reply. I manually added the repo by creating a file in
/etc/zypp/repos.d and pasting the contents I gave above. The output of
the command you suggested is

Code:

bash-4.3# zypper lr -d

Repository priorities are without effect. All enabled repositories
share the same priority.

| Alias | Name | Enabled | GPG

Check | Refresh | Priority | Type |
URI
| Service
–±------------------------±------------------------±--------±----------±--------±---------±-------±-----------------------------------------------------------------------±-------
1 | NON OSS | NON OSS | Yes | (r )
Yes | Yes | 99 | rpm-md |
http://download.opensuse.org/distribution/leap/42.2/repo/non-oss/suse/
| 2 | NON OSS Update | NON OSS Update | Yes | (r
) Yes | Yes | 99 | rpm-md |
http://download.opensuse.org/update/leap/42.2/non-oss/
| 3 | OSS | OSS | Yes | (r
) Yes | Yes | 99 | rpm-md |
http://download.opensuse.org/distribution/leap/42.2/repo/oss/suse/
| 4 | OSS Update | OSS Update | Yes | (r
) Yes | Yes | 99 | rpm-md |
http://download.opensuse.org/update/leap/42.2/oss/
| 5 | gitlab_gitlab-ee | gitlab_gitlab-ee | Yes |
( p) Yes | Yes | 99 | rpm-md |
https://packages.gitlab.com/gitlab/gitlab-ee/opensuse/42.2/x86_64
| 6 | gitlab_gitlab-ee-source | gitlab_gitlab-ee-source | Yes |
( p) Yes | Yes | 99 | rpm-md |
https://packages.gitlab.com/gitlab/gitlab-ee/opensuse/42.2/SRPMS
| --------------------

*One thing that caught my eye is the (p) Yes under GPGCheck column. What
does that mean? Will that have any effect?
*
Also, trying refresh without specifying any repo name also didn’t work

Code:

bash-4.3# zypper --gpg-auto-import-keys ref
Repository ‘NON OSS’ is up to
date. Repository ‘NON OSS Update’ is up to
date. Repository ‘OSS’ is up to
date. Repository ‘OSS Update’ is up to
date. Retrieving repository ‘gitlab_gitlab-ee’ metadata
----------------------------------------------------------------------------------------------------------------------------|]
Warning: File ‘repomd.xml’ from repository ‘gitlab_gitlab-ee’ is signed
with an unknown key ‘14219A96E15E78F4’. Note: Signing data enables the
recipient to verify that no modifications occurred after the data were
signed. Accepting data with no, wrong or unknown signature can lead to
a corrupted system and in extreme cases even to a system compromise.
Note: File ‘repomd.xml’ is the repositories master index file. It
ensures the integrity of the whole repo.

Warning: We can’t verify that no one meddled with this file, so it
might not be trustworthy anymore! You should not continue unless you
know it’s safe.
File ‘repomd.xml’ from repository ‘gitlab_gitlab-ee’ is signed with
an unknown key ‘14219A96E15E78F4’. Continue? [yes/no] (no):

Hi
Import the key;
https://packages.gitlab.com/app/gitlab/gitlab-ee/gpg


Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
openSUSE Leap 42.2|GNOME 3.20.2|4.4.92-18.36-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

#5

Hi malcolmlewis,

The original question was why wasn’t zypper auto-importing the key, as the flag is supposed to make it do. The key is available in public keyservers like pgp.mit.edu. Also, I had already tried out the following method

  1. Get the gpg key using `gpg --recv-keys <key id>
  2. Set ultimate trust
  3. Try zypper refresh

But that too gave me the same result.

#6

Hi!

Are you sure?

#7

I managed to import the GPG key via Yast2 → Software Repositories → GPG Keys…

But even after that, the repository seems to be empty:

zypper packages -r gitlab-runner
Loading repository data...
Reading installed packages...
No packages found.

Which is perhaps more of a problem? :slight_smile:

#8

When I open the URL of your repo in a web browser, I get an empty page when I expect to see various files including a repo definition file.

So,
You’ve got to fix that.

Then,
I’d also recommend adding your repo using the zypper command line because it leaves less possibility for making a mistake. For instance, I can’t check because your path currently leads to an empty page but I would test whether your first entry for the GPG key is necessary or correct.

I’d recommend first deleting (or moving elsewhere) your current repo file (client side) and then when the URL actually points to something running something like the following

zypper ar -f https://packages.gitlab.com/gitlab/gitlab-ee/opensuse/42.2/SRPMS && zypper --gpg-auto-import-keys ref

TSU