I have this problem with the Google repo on two of our machines, running Leap 15.1:
zypper ref
Retrieving repository ‘google-chrome’ metadata -----------------------------------------------------------------------------]
Looking for gpg key ID 3CB3BD13 in cache /var/cache/zypp/pubkeys.
Repository google-chrome does not define additional ‘gpgkey=’ URLs.
Warning: File ‘repomd.xml’ from repository ‘google-chrome’ is signed with an unknown key ‘78BD65473CB3BD13’.
Note: Signing data enables the recipient to verify that no modifications occurred after the data
were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
and in extreme cases even to a system compromise.
Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
whole repo.
Warning: We can't verify that no one meddled with this file, so it might not be trustworthy
anymore! You should not continue unless you know it's safe.
File ‘repomd.xml’ from repository ‘google-chrome’ is signed with an unknown key ‘78BD65473CB3BD13’. Continue? [yes/no] (no):
zypper ref
Retrieving repository ‘google-chrome’ metadata -----------------------------------------------------------------------------]
Looking for gpg key ID 3CB3BD13 in cache /var/cache/zypp/pubkeys.
Repository google-chrome does not define additional ‘gpgkey=’ URLs.
Warning: File ‘repomd.xml’ from repository ‘google-chrome’ is signed with an unknown key ‘78BD65473CB3BD13’.
Note: Signing data enables the recipient to verify that no modifications occurred after the data
were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
and in extreme cases even to a system compromise.
Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
whole repo.
Warning: We can't verify that no one meddled with this file, so it might not be trustworthy
anymore! You should not continue unless you know it's safe.
File ‘repomd.xml’ from repository ‘google-chrome’ is signed with an unknown key ‘78BD65473CB3BD13’. Continue? [yes/no] (no):
This problem only occurs on two of our machines. All the others seemed to import the new key just fine. They’re all running OpenSUSE Leap 15.1.
Can anyone help fix this?
Thanks for the response. Here is the output from these commands.
$ zypper lr -d 5
Alias : google-chrome
Name : google-chrome
URI : http://dl.google.com/linux/chrome/rpm/stable/x86_64
Enabled : Yes
GPG Check : ( p) Yes
Priority : 99 (default priority)
Autorefresh : On
Keep Packages : Off
Type : NONE
GPG Key URI :
Path Prefix :
Parent Service :
Keywords : ---
Repo Info Path : /etc/zypp/repos.d/google-chrome.repo
MD Cache Path : /var/cache/zypp/raw/google-chrome
$ grep gpgcheck /etc/zypp/zypp.conf
## boolean gpgcheck (default: on)
## boolean repo_gpgcheck (default: unset -> according to gpgcheck)
## boolean pkg_gpgcheck (default: unset -> according to gpgcheck)
## Explicitly setting 'gpgcheck', 'repo_gpgcheck' 'pkg_gpgcheck' in a
## If 'gpgcheck' is 'on' (the default) we will check the signature of repo metadata
## The above default behavior can be tuned by explicitly setting 'repo_gpgcheck'
## and/or 'pkg_gpgcheck':
## 'repo_gpgcheck = on' same as the default.
## 'repo_gpgcheck = off' will silently accept unsigned repos. It will NOT turn off
## 'pkg_gpgcheck = on' will enforce the package signature checking and the need
## 'pkg_gpgcheck = off' will silently accept unsigned packages. It will NOT turn off
## enable them individually by setting 'repo_gpgcheck' and/or 'pkg_gpgcheck' to 'on'.
# repo_gpgcheck = unset -> according to gpgcheck
# pkg_gpgcheck = unset -> according to gpgcheck
$ rpm -qa | grep pubkey
gpg-pubkey-98ab5139-4bf2d0b0
gpg-pubkey-6f88bb2f-54032bd3
gpg-pubkey-498d5a23-5d481f1c
gpg-pubkey-d38b4796-570c8cd3
gpg-pubkey-943d8bb8-5555af65
gpg-pubkey-3dbdc284-53674dd4
gpg-pubkey-1abd1afb-54176598
gpg-pubkey-39db7c82-5847eb1f
gpg-pubkey-6300dadb-5bec2ed1
gpg-pubkey-7fac5991-4615767f # I think this is the correct one?
gpg-pubkey-4f311b1d-59d4f57c
gpg-pubkey-0d210a40-581257c6
gpg-pubkey-ee3d166a-5bdcf45c
gpg-pubkey-c66b6eae-4491871e
gpg-pubkey-307e3d54-5aaa90a5
Sure, ask Google. Only they can fix their repositories.
As a workaround you can manually import the correct key as long as you trust it. It is actually signed by linux_signing_key.pub so there is some level of confidence. Of course, repositories still need fixing.
Actually I realized that this file contains both keys - old and new. I tested “rpm --import” on Leap 15.1 and importing this files adds both keys. The correct one is gpg-pubkey-d38b4796-570c8cd3. And this is also present on OP system. I do not get any errors adding/refreshing Chrome repository. What “ls -l /var/lib/rpm” shows?
Sure, ask Google. Only they can fix their repositories.
We have about a dozen machines all running OpenSUSE Leap 15.1. The problem only occurs with two of them. All the others are fine. My present assumption is that the problem is with these machines, not with Google.
What “ls -l /var/lib/rpm” shows?
$ ls -l /var/lib/rpm
lrwxrwxrwx 1 root root 26 Apr 13 15:15 /var/lib/rpm -> ../../usr/lib/sysimage/rpm
$ ls -l /var/lib/rpm/
total 356748
-rw-r--r-- 1 root root 25751552 Aug 1 01:16 Basenames
-rw-r--r-- 1 root root 28672 Aug 1 01:16 Conflictname
-rw-r--r-- 1 root root 18964480 Aug 1 01:16 Dirnames
-rw-r--r-- 1 root root 8192 Jul 18 07:36 Enhancename
-rw-r--r-- 1 root root 8192 Jun 20 01:18 Filetriggername
-rw-r--r-- 1 root root 90112 Aug 1 01:16 Group
-rw-r--r-- 1 root root 188416 Aug 1 01:16 Installtid
-rw-r--r-- 1 root root 339968 Aug 1 01:16 Name
-rw-r--r-- 1 root root 98304 Aug 1 01:16 Obsoletename
-rw-r--r-- 1 root root 307453952 Aug 1 01:16 Packages
-rw-r--r-- 1 root root 9490432 Aug 1 01:16 Providename
-rw-r--r-- 1 root root 118784 Aug 1 01:16 Recommendname
-rw-r--r-- 1 root root 1531904 Aug 1 01:16 Requirename
-rw-r--r-- 1 root root 0 Sep 23 2016 .rpm.lock
-rw-r--r-- 1 root root 647168 Aug 1 01:16 Sha1header
-rw-r--r-- 1 root root 360448 Aug 1 01:16 Sigmd5
-rw-r--r-- 1 root root 20480 Jul 25 01:15 Suggestname
-rw-r--r-- 1 root root 208896 Aug 1 01:16 Supplementname
-rw-r--r-- 1 root root 8192 Jun 7 2019 Transfiletriggername
-rw-r--r-- 1 root root 8192 Jul 18 07:36 Triggername
Well, it really looks like zypper does not find correct key or is not willing to use it. Could you upload /var/log/zypper.log and tell exact date/time when you tried to refresh repository? Log file includes keys that are being imported from RPM DB.
Well, here is the problem. This key has three subkeys and only two are listed. The third one - 78BD65473CB3BD13 - is missing and it the key used to sign repository.
I would say this needs developer to debug. Open bug report on bugzilla.opensuse.org, attach /var/log/zypper.log, you could mention this part in bug text. Attaching linux_signing_key.pub is useful too. Also show “rpm -qa gpg-pubkey*”. You may point to this thread for cross-reference.
P.S. could you post “gpg2 --list-packets linux_signing_key.pub”? Just to be sure we are using the same file.