Zypper/Yast Repositories and remembering certificates

I recently updated to Leap 42.1 (still considering Tumbleweed, though, as I think it’s simply the logical next step for all distributions) and hoped a certain behavior would go away, but suspected it wouldn’t, because it’s been going on for several versions. It didn’t, of course, and I’m wondering if I’m doing something wrong or this is just something I have to deal with for some odd reason.

The following is a link to a screenshot I uploaded to Google Drive; take a look:

https://drive.google.com/file/d/0B8p6zThp4KIdUWRIaWZ5WUhubjQ/view?usp=sharing

As you can see, there are certain repositories that I use that are asking if I want to accept their key. They (a)lways ask that and I (a)lways choose (a)lways accept, as you can see in the screenshot. If this is the expected behavior, I have to wonder why there’s an option for (a)lways.

If I sound a little frustrated, the last time I asked about this (which is why I don’t ask about it much, despite the fact that it drives me crazy, especially when I type “zypper up” and walk away to do something else only to come back and find it’s still waiting for my input regarding what to do about the stupid key) the question wasn’t answered directly. Rather, there were some of the standard (and understandable) warnings about being careful about trusting secondary sources. Which is fine, but I am choosing to trust these. I have used them for a long time and haven’t had a problem (beyond the occasional odd version conflict, which is generally easily resolvable on my end or otherwise fixed later by the maintainers).

So what’s going on? Does “(a)lways” not mean what I think it means? Is there a way that I can force it to stop asking me the same thing over and over when I’m just going to hit the same answer every time?

This happens in both Zypper and Yast, as I indicated in the subject.

Does this happen every time you use “zypper up” ?
On my installation after I choose to always trust I no longer see this unless the certificate expires.

Well, every time there’s a change in the repository (i.e., some package is updated there). If nothing has changed, it doesn’t ask, but if it has, it continues to ask. And this has been happening for quite a while. The way it’s behaving for you is exactly what I’d expect and want.

So what might be preventing that from happening?

I would guess it’s some libzypp setting. It looks as though you’ve got certification verification enabled per package and not per repository. I don’t how to change this behavior though.
Can paste in my settings once I get back to my home PC.

The next time you are asked for a cert, inspect the cert.

Although most of the repos I connect to don’t constantly ask for certificate confirmation, I’ve found recently for whatever reason the Cloud repo asks for confirmation constantly because the cert is weirdly set for a very short lifetime (about a week or two). So, it seems that a new repo cert is being generated that often which means each time it changes you need to confirm again.

The screenshot you provided of the Multimedia and Wine repos aren’t subject to that short lifetime.
Recommend you track exactly which repos you’re seeing the problem and make sure they’re these.

TSU

Just now doing a zypper search and again those same two ask what to do with the key: multimedia and Wine.

Glistwan: I would appreciate seeing your settings.

Temporarily, I’ve added the line “repo_gpgcheck=off” to the Wine.repo file in /etc/zypp/repos.d in order to see if that stops the one and not the other. Honestly, I don’t like doing that, but I think I like having to answer the same question over and over again a little less. I’m taking a chance either way, since the fact that it continuously asks for no reason means I’m not going to be double checking anyway. Hopefully there’s a better solution.

Oh, and tsu2: I didn’t think to inspect the certificate this time. I will next time.

I’m having the same problem with “hardware” and “multimedia:libs”. It’s always the same fingerprint and they don’t expire yet. I noticed if you click gpg-keys in the YaST repo manager the keys for those repos aren’t there.

Hi
Have a read of this thread, you can manually add…
https://forums.opensuse.org/showthread.php/512615-How-do-I-un-trust-a-repo

Excellent. I learned something new that I really should know. Thank you!

Now to make sure it worked. I’ll come back in a couple of days and say whether it’s repeated the same behavior or not.