Mailinglist Archive: opensuse-buildservice (153 mails)

< Previous Next >
[opensuse-buildservice] multiple repos are repeatedly/frequently reporting "signed with an unknown key". what's misconfigured/broken, or ... ?
We've upgraded all our opensuse instances to 13.2; currently several hundred
across multiple sites.

As we're doing post-upgrade cleanups, etc, on `zypper *` we're seeing LOTS of
'unknown key' messages for/from repositories, for example, @ refresh,

zypper -v ref
Verbosity: 1
Initializing Target
Specified repositories:
Checking whether to refresh metadata for Backup
Retrieving: repomd.xml
................................................................................................................................................................................................................[done]
Repository 'Backup' is up to date.
Checking whether to refresh metadata for BaseSystem
Retrieving: repomd.xml
................................................................................................................................................................................................................[done]
Retrieving: repomd.xml
................................................................................................................................................................................................................[done]
Retrieving: repomd.xml.asc
............................................................................................................................................................................................................[done]
Retrieving: repomd.xml.key
............................................................................................................................................................................................................[done]
Retrieving: repomd.xml
................................................................................................................................................................................................................[done]
File 'repomd.xml' from repository 'BaseSystem' is signed with
an unknown key '88EB5D66E2C0098C'. Continue? [yes/no] (no):

That ^^^ is just ONE example; most, if not yet all, enabled repos have returned
this error at least once recently -- typically more often.

This is NEW/CHANGED behavior. We're not alone -- we're hearing about this from
multiple clients, and are bumping into similar issues/comments/questions
online, in IRC, etc.

This is happening for a broad variety of repos -- home: repos, 'semi-official'
repos, *AND* official release/distribution repos.

In any one run, there can be none-to-many repos that return the "signed with an
unknown key"

And, it's happening repeatedly & frequently.

If I force clean up

zypper clean --all
rpm -qa | grep gpg-pubkey | xargs rpm -e
zypper -vvv --gpg-auto-import-keys --no-gpg-checks ref --force

then, an IMMEDIATELY subsequent `ref` or `dup`, of course, has no issues with
unknown keys -- until "some time later". After a seemingly random amount of
time -- just minutes to hours -- re-exec of the zypper cmd gets another mix of
"unknown key" reports.

For the example above,

cat /etc/zypp/repos.d/BaseSystem.repo
[BaseSystem]
name=BaseSystem
enabled=1
autorefresh=1

baseurl=http://download.opensuse.org/repositories/Base:/System/openSUSE_13.2
gpgcheck=1
keeppackages=0
priority=30
type=rpm-md

Checking

@
http://download.opensuse.org/repositories/Base:/System/openSUSE_13.2/repodata/

Index of /repositories/Base:/System/openSUSE_13.2/repodata

Icon Name
Last modified Size [DIR] Parent Directory
-

[ ]
0ebcac183295ce4d1fde2c8f614bbe0fc481804c7948418a9ac0613ad16a5efe-primary.xml.gz
20-Nov-2014 14:48 23K Details
[ ]
488fb3091c6e475a247d1b10a6035dafb05519f9fbd6ddaa5265c2826517b5d0-other.xml.gz
20-Nov-2014 14:48 25K Details
[ ]
d5fc3d48a3aa46cf156ac47421ec3d979ba0d7849fc503437701384455726e4b-filelists.xml.gz
20-Nov-2014 14:48 47K Details
[TXT] repomd.xml
20-Nov-2014 14:48 1.6K Details
[ ] repomd.xml.asc
20-Nov-2014 14:48 481 Details
[ ] repomd.xml.key
20-Nov-2014 14:48 1.1K Details

Apache/2.2.12 (Linux/SUSE) Server at download.opensuse.org Port
80

MirrorBrain powered by Apache

it's clear there's a recent "Last Modified" change to the repodata ... I do not
yet know if there ae ACTUAL changes, or only timestamps are changing.

At first glance, it appears that with each change to the repo's content --
specifically the filelists -- the ENTIRE file content of the /repodata dir is
being re-timestamped.

Including the repomd.xml.key ... which would be ONE cause of the "unkonwn key"
issue.

It's *possible* that multiple repos have been compromised, and that blackhats
are changing keys at will -- but I *seriously* doubt it; pls correct me if I'm
wrong.

(1) Why are multiple repos' keys changing so frequently -- even for the same
repo, sometimes multiple times within a day or so?
(2) There appears to be no mechanism/source for VALIDATING the new/updated keys
from within a zypper command -- That's a potential security issue. How are
keys to be validated?
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups