Zypper refuses to acknowledge that I have imported Google's latest signing key

I have this problem with the Google repo on two of our machines, running Leap 15.1:

zypper ref
Retrieving repository ‘google-chrome’ metadata -----------------------------------------------------------------------------]
Looking for gpg key ID 3CB3BD13 in cache /var/cache/zypp/pubkeys.
Repository google-chrome does not define additional ‘gpgkey=’ URLs.
Warning: File ‘repomd.xml’ from repository ‘google-chrome’ is signed with an unknown key ‘78BD65473CB3BD13’.

Note: Signing data enables the recipient to verify that no modifications occurred after the data
were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
and in extreme cases even to a system compromise.
Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
whole repo.
Warning: We can't verify that no one meddled with this file, so it might not be trustworthy
anymore! You should not continue unless you know it's safe.

File ‘repomd.xml’ from repository ‘google-chrome’ is signed with an unknown key ‘78BD65473CB3BD13’. Continue? [yes/no] (no):

The normal way to fix this is to do this:

wget https://dl.google.com/linux/linux_signing_key.pub
rpm --import linux_signing_key.pub

But it doesn’t work:

zypper ref
Retrieving repository ‘google-chrome’ metadata -----------------------------------------------------------------------------]
Looking for gpg key ID 3CB3BD13 in cache /var/cache/zypp/pubkeys.
Repository google-chrome does not define additional ‘gpgkey=’ URLs.
Warning: File ‘repomd.xml’ from repository ‘google-chrome’ is signed with an unknown key ‘78BD65473CB3BD13’.

Note: Signing data enables the recipient to verify that no modifications occurred after the data
were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
and in extreme cases even to a system compromise.
Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
whole repo.
Warning: We can't verify that no one meddled with this file, so it might not be trustworthy
anymore! You should not continue unless you know it's safe.

File ‘repomd.xml’ from repository ‘google-chrome’ is signed with an unknown key ‘78BD65473CB3BD13’. Continue? [yes/no] (no):

This problem only occurs on two of our machines. All the others seemed to import the new key just fine. They’re all running OpenSUSE Leap 15.1.
Can anyone help fix this?

Hi
Are the repository set to accept a key?


zypper lr -d

The default gpg check hasn’t been changed?


cat /etc/zypp/zypp.conf |grep gpgcheck

Is the key present (https://www.google.com/linuxrepositories/)?


rpm -qa |grep pubkey

Thanks for the response. Here is the output from these commands.


$ zypper lr -d 5
Alias          : google-chrome
Name           : google-chrome
URI            : http://dl.google.com/linux/chrome/rpm/stable/x86_64
Enabled        : Yes
GPG Check      : ( p) Yes
Priority       : 99 (default priority)
Autorefresh    : On
Keep Packages  : Off
Type           : NONE
GPG Key URI    : 
Path Prefix    : 
Parent Service : 
Keywords       : ---
Repo Info Path : /etc/zypp/repos.d/google-chrome.repo
MD Cache Path  : /var/cache/zypp/raw/google-chrome


$ grep gpgcheck /etc/zypp/zypp.conf 
##   boolean    gpgcheck    (default: on)
##   boolean    repo_gpgcheck    (default: unset -> according to gpgcheck)
##   boolean    pkg_gpgcheck    (default: unset -> according to gpgcheck)
## Explicitly setting 'gpgcheck', 'repo_gpgcheck' 'pkg_gpgcheck' in a
## If 'gpgcheck' is 'on' (the default) we will check the signature of repo metadata
## The above default behavior can be tuned by explicitly setting 'repo_gpgcheck'
## and/or 'pkg_gpgcheck':
##   'repo_gpgcheck = on' same as the default.
##   'repo_gpgcheck = off' will silently accept unsigned repos. It will NOT turn off
##   'pkg_gpgcheck = on' will enforce the package signature checking and the need
##   'pkg_gpgcheck = off' will silently accept unsigned packages. It will NOT turn off
## enable them individually by setting 'repo_gpgcheck' and/or 'pkg_gpgcheck' to 'on'.
# repo_gpgcheck = unset -> according to gpgcheck
# pkg_gpgcheck =  unset -> according to gpgcheck


$ rpm -qa | grep pubkey
gpg-pubkey-98ab5139-4bf2d0b0
gpg-pubkey-6f88bb2f-54032bd3
gpg-pubkey-498d5a23-5d481f1c
gpg-pubkey-d38b4796-570c8cd3
gpg-pubkey-943d8bb8-5555af65
gpg-pubkey-3dbdc284-53674dd4
gpg-pubkey-1abd1afb-54176598
gpg-pubkey-39db7c82-5847eb1f
gpg-pubkey-6300dadb-5bec2ed1
gpg-pubkey-7fac5991-4615767f           # I think this is the correct one?
gpg-pubkey-4f311b1d-59d4f57c
gpg-pubkey-0d210a40-581257c6
gpg-pubkey-ee3d166a-5bdcf45c
gpg-pubkey-c66b6eae-4491871e
gpg-pubkey-307e3d54-5aaa90a5

Hi
Can you try deleting the current key and re-import as per the link?


rpm -e gpg-pubkey-7fac5991-*
wget https://dl.google.com/linux/linux_signing_key.pub
rpm --import linux_signing_key.pub

No, it is not. This is key Search results for '0xa040830f7fac5991', while repository metadata (repomd.xml) is signed using key Search results for '0x78BD65473CB3BD13'.

This is still the same incorrect key.

Sure, ask Google. Only they can fix their repositories.

As a workaround you can manually import the correct key as long as you trust it. It is actually signed by linux_signing_key.pub so there is some level of confidence. Of course, repositories still need fixing.

Actually I realized that this file contains both keys - old and new. I tested “rpm --import” on Leap 15.1 and importing this files adds both keys. The correct one is gpg-pubkey-d38b4796-570c8cd3. And this is also present on OP system. I do not get any errors adding/refreshing Chrome repository. What “ls -l /var/lib/rpm” shows?

Thanks for that.

Sure, ask Google. Only they can fix their repositories.

We have about a dozen machines all running OpenSUSE Leap 15.1. The problem only occurs with two of them. All the others are fine. My present assumption is that the problem is with these machines, not with Google.

What “ls -l /var/lib/rpm” shows?


$ ls -l /var/lib/rpm
lrwxrwxrwx 1 root root 26 Apr 13 15:15 /var/lib/rpm -> ../../usr/lib/sysimage/rpm
$ ls -l /var/lib/rpm/
total 356748
-rw-r--r-- 1 root root  25751552 Aug  1 01:16 Basenames
-rw-r--r-- 1 root root     28672 Aug  1 01:16 Conflictname
-rw-r--r-- 1 root root  18964480 Aug  1 01:16 Dirnames
-rw-r--r-- 1 root root      8192 Jul 18 07:36 Enhancename
-rw-r--r-- 1 root root      8192 Jun 20 01:18 Filetriggername
-rw-r--r-- 1 root root     90112 Aug  1 01:16 Group
-rw-r--r-- 1 root root    188416 Aug  1 01:16 Installtid
-rw-r--r-- 1 root root    339968 Aug  1 01:16 Name
-rw-r--r-- 1 root root     98304 Aug  1 01:16 Obsoletename
-rw-r--r-- 1 root root 307453952 Aug  1 01:16 Packages
-rw-r--r-- 1 root root   9490432 Aug  1 01:16 Providename
-rw-r--r-- 1 root root    118784 Aug  1 01:16 Recommendname
-rw-r--r-- 1 root root   1531904 Aug  1 01:16 Requirename
-rw-r--r-- 1 root root         0 Sep 23  2016 .rpm.lock
-rw-r--r-- 1 root root    647168 Aug  1 01:16 Sha1header
-rw-r--r-- 1 root root    360448 Aug  1 01:16 Sigmd5
-rw-r--r-- 1 root root     20480 Jul 25 01:15 Suggestname
-rw-r--r-- 1 root root    208896 Aug  1 01:16 Supplementname
-rw-r--r-- 1 root root      8192 Jun  7  2019 Transfiletriggername
-rw-r--r-- 1 root root      8192 Jul 18 07:36 Triggername

I’ve now tried that and it has no effect.

That’s correct. Try running “strace -f -o /tmp/zypper.out zypper refresh google-chrome” and upload /tmp/zypper.out to https://susepaste.org/.

Done. Here it is.

Well, it really looks like zypper does not find correct key or is not willing to use it. Could you upload /var/log/zypper.log and tell exact date/time when you tried to refresh repository? Log file includes keys that are being imported from RPM DB.

I’ve just tried uploading it to susepaste.org but I get:

               **An Error Was Encountered**
          You are spammer!!!

Here’s a section that seems relevant:


2020-08-03 10:15:50 <1> daveh(10785) [librpmDb++] RpmDb.cc(computeKeyRingSync):567 gpg-pubkey-0d210a40-581257c6 R_
2020-08-03 10:15:50 <1> daveh(10785) [librpmDb++] RpmDb.cc(computeKeyRingSync):567 gpg-pubkey-1abd1afb-54176598 R_
2020-08-03 10:15:50 <1> daveh(10785) [librpmDb++] RpmDb.cc(computeKeyRingSync):567 gpg-pubkey-307e3d54-5aaa90a5 R_
2020-08-03 10:15:50 <1> daveh(10785) [librpmDb++] RpmDb.cc(computeKeyRingSync):567 gpg-pubkey-39db7c82-5847eb1f R_
2020-08-03 10:15:50 <1> daveh(10785) [librpmDb++] RpmDb.cc(computeKeyRingSync):567 gpg-pubkey-3dbdc284-53674dd4 R_
2020-08-03 10:15:50 <1> daveh(10785) [librpmDb++] RpmDb.cc(computeKeyRingSync):567 gpg-pubkey-498d5a23-5d481f1c R_
2020-08-03 10:15:50 <1> daveh(10785) [librpmDb++] RpmDb.cc(computeKeyRingSync):567 gpg-pubkey-4f311b1d-59d4f57c R_
2020-08-03 10:15:50 <1> daveh(10785) [librpmDb++] RpmDb.cc(computeKeyRingSync):567 gpg-pubkey-6300dadb-5bec2ed1 R_
2020-08-03 10:15:50 <1> daveh(10785) [librpmDb++] RpmDb.cc(computeKeyRingSync):567 gpg-pubkey-6f88bb2f-54032bd3 R_
2020-08-03 10:15:50 <1> daveh(10785) [librpmDb++] RpmDb.cc(computeKeyRingSync):567 gpg-pubkey-7fac5991-4615767f R_
2020-08-03 10:15:50 <1> daveh(10785) [librpmDb++] RpmDb.cc(computeKeyRingSync):567 gpg-pubkey-943d8bb8-5555af65 R_
2020-08-03 10:15:50 <1> daveh(10785) [librpmDb++] RpmDb.cc(computeKeyRingSync):567 gpg-pubkey-98ab5139-4bf2d0b0 R_
2020-08-03 10:15:50 <1> daveh(10785) [librpmDb++] RpmDb.cc(computeKeyRingSync):567 gpg-pubkey-c66b6eae-4491871e R_
2020-08-03 10:15:50 <1> daveh(10785) [librpmDb++] RpmDb.cc(computeKeyRingSync):567 gpg-pubkey-d38b4796-570c8cd3 R_
2020-08-03 10:15:50 <1> daveh(10785) [librpmDb++] RpmDb.cc(computeKeyRingSync):567 gpg-pubkey-ee3d166a-5bdcf45c R_
2020-08-03 10:15:50 <1> daveh(10785) [librpmDb] RpmDb.cc(syncTrustedKeys):619 Rpm keys to export into zypp trusted keyring: 15
2020-08-03 10:15:50 <1> daveh(10785) [librpmDb] RpmDb.cc(syncTrustedKeys):620 Zypp trusted keys to import into rpm database: 0
2020-08-03 10:15:50 <1> daveh(10785) [librpmDb] RpmDb.cc(syncTrustedKeys):626 Exporting rpm keyring into zypp trusted keyring
2020-08-03 10:15:50 <1> daveh(10785) [librpmDb++] librpmDb.cc(D):79 DBACCESS {NULL(/)/var/lib/rpm}
2020-08-03 10:15:50 <1> daveh(10785) [zypp::gpg++] KeyManager.cc(createForOpenPGP):239 createForOpenPGP(/var/tmp/zypp.QOofaY/zypp-trusted-krwdG5aE)
2020-08-03 10:15:50 <1> daveh(10785) [zypp::gpg] KeyManager.cc(initGpgme):44 Initialized libgpgme version: 1.10.0
2020-08-03 10:15:52 <1> daveh(10785) [zypp::gpg++] KeyManager.cc(createForOpenPGP):239 createForOpenPGP(/var/tmp/zypp.QOofaY/zypp-trusted-krwdG5aE)
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(getData):166 Found keys: {
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(getData):166   [F5113243C66B6EAE-4491871e, F016EEAA03224CDD] [NVIDIA Corporation <linux-bugs@nvidia.com>] [does not expire]
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(getData):166   [7721F63BD38B4796-570c8cd3, 1397BC53640DB551, 6494C6D6997C215E] [Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>] [does not expire]
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(getData):166   [69D1B2AAEE3D166A-5bdcf45c] [security OBS Project <security@build.opensuse.org>] [expires: 2021-01-11]
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(getData):166   [20F8C4F40D210A40-581257c6] [KDE:Extra OBS Project <KDE:Extra@build.opensuse.org>] [expired: 2019-01-05]
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(getData):166   [45A1D0671ABD1AFB-54176598] [PackMan Project (signing key) <packman@links2linux.de>] [expires: 2024-09-12]
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(getData):166   [B88B2FD43DBDC284-53674dd4] [openSUSE Project Signing Key <opensuse@opensuse.org>] [expires: 2024-05-02]
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(getData):166   [55E7BAF94F311B1D-59d4f57c] [graphics OBS Project <graphics@build.opensuse.org>] [expired: 2019-12-13]
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(getData):166   [27C070176F88BB2F-54032bd3] [KDE OBS Project <KDE@build.opensuse.org>] [expired: 2016-11-08]
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(getData):166   [A040830F7FAC5991-4615767f, 4F30B6B4C07CB649] [Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>] [does not expire]
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(getData):166   [70AF9E8139DB7C82-5847eb1f] [SuSE Package Signing Key <build@suse.de>] [expires: 2020-12-06]
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(getData):166   [54422A4B98AB5139-4bf2d0b0, B6748A65281DDC4B] [Oracle Corporation (VirtualBox archive signing key) <info@virtualbox.org>] [does not expire]
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(getData):166   [E3A5C360307E3D54-5aaa90a5] [SuSE Package Signing Key <build@suse.de>] [expires: 2022-03-14]
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(getData):166   [30A8343A498D5A23-5d481f1c] [devel:tools OBS Project <devel:tools@build.opensuse.org>] [expires: 2021-10-13]
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(getData):166   [01DB7302943D8BB8-5555af65] [science OBS Project <science@build.opensuse.org>] [expired: 2017-07-23]
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(getData):166   [927F5CC86300DADB-5bec2ed1] [devel:gcc OBS Project <devel:gcc@build.opensuse.org>] [expires: 2021-01-22]
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(getData):166 }
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(publicKeyExists):366 Found key [c66b6eae] in keyring /var/tmp/zypp.QOofaY/zypp-trusted-krwdG5aE
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(publicKeyExists):366 Found key [d38b4796] in keyring /var/tmp/zypp.QOofaY/zypp-trusted-krwdG5aE
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(publicKeyExists):366 Found key [ee3d166a] in keyring /var/tmp/zypp.QOofaY/zypp-trusted-krwdG5aE
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(publicKeyExists):366 Found key [0d210a40] in keyring /var/tmp/zypp.QOofaY/zypp-trusted-krwdG5aE
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(publicKeyExists):366 Found key [1abd1afb] in keyring /var/tmp/zypp.QOofaY/zypp-trusted-krwdG5aE
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(publicKeyExists):366 Found key [3dbdc284] in keyring /var/tmp/zypp.QOofaY/zypp-trusted-krwdG5aE
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(publicKeyExists):366 Found key [4f311b1d] in keyring /var/tmp/zypp.QOofaY/zypp-trusted-krwdG5aE
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(publicKeyExists):366 Found key [6f88bb2f] in keyring /var/tmp/zypp.QOofaY/zypp-trusted-krwdG5aE
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(publicKeyExists):366 Found key [7fac5991] in keyring /var/tmp/zypp.QOofaY/zypp-trusted-krwdG5aE
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(publicKeyExists):366 Found key [39db7c82] in keyring /var/tmp/zypp.QOofaY/zypp-trusted-krwdG5aE
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(publicKeyExists):366 Found key [98ab5139] in keyring /var/tmp/zypp.QOofaY/zypp-trusted-krwdG5aE
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(publicKeyExists):366 Found key [307e3d54] in keyring /var/tmp/zypp.QOofaY/zypp-trusted-krwdG5aE
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(publicKeyExists):366 Found key [498d5a23] in keyring /var/tmp/zypp.QOofaY/zypp-trusted-krwdG5aE
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(publicKeyExists):366 Found key [943d8bb8] in keyring /var/tmp/zypp.QOofaY/zypp-trusted-krwdG5aE
2020-08-03 10:15:52 <1> daveh(10785) [zypp::KeyRing] KeyRing.cc(publicKeyExists):366 Found key [6300dadb] in keyring /var/tmp/zypp.QOofaY/zypp-trusted-krwdG5aE

Well, here is the problem. This key has three subkeys and only two are listed. The third one - 78BD65473CB3BD13 - is missing and it the key used to sign repository.

I would say this needs developer to debug. Open bug report on bugzilla.opensuse.org, attach /var/log/zypper.log, you could mention this part in bug text. Attaching linux_signing_key.pub is useful too. Also show “rpm -qa gpg-pubkey*”. You may point to this thread for cross-reference.

P.S. could you post “gpg2 --list-packets linux_signing_key.pub”? Just to be sure we are using the same file.

I’ve now tried doing this:


$ rpm -e gpg-pubkey-7fac5991-4615767f
$ rpm -e gpg-pubkey-d38b4796-570c8cd3
$ rpm --import linux_signing_key.pub
$ zypper ref google-chrome
Retrieving repository 'google-chrome' metadata .....................................................[done]
Building repository 'google-chrome' cache ..........................................................[done]
Specified repositories have been refreshed.

Removing two keys and then re-importing seems to have fixed it. I only removed one before.

Thanks for your help, everyone.