On Friday 28 October 2016 01:16:26 Joe Damato wrote:
Greetings:
I was confused earlier today when trying to add a GPG-signed rpm-md type repository to my system. I noticed that zypper was listing the repository as not being signed. zypper refresh was telling me that the repository was signed with an unknown key and zypper lr was listing the repository as not supporting repo_gpgcheck.
After some digging around the libzypper source (14.43.0) on my system (openSUSE 13.2) I believe I've tracked down the issue.
The call to publicKeyExists in KeyRing::Impl::verifyFileSignatureWorkflow checks if the repomd.xml.asc signature's key ID is known. If the repomd.xml.asc was signed with a subkey of a GPG key (instead of a primary key), this check will fail even though the call to VerifyFile would succeed.
Is this a known issue?
No. Thanks for hunting and reporting it. I opened a bug at https://bugzilla.suse.com/show_bug.cgi?id=1008325 Please be so kind to attach your repomd.xml, .asc and .key file to the bug, so we can verify a fix. -- cu, Michael Andres +------------------------------------------------------------------+ Key fingerprint = 2DFA 5D73 18B1 E7EF A862 27AC 3FB8 9E3A 27C6 B0E4 +------------------------------------------------------------------+ Michael Andres SUSE LINUX GmbH, Development, ma@suse.com Maxfeldstrasse 5, D-90409 Nuernberg, Germany, ++49 (0)911 - 74 053-0 +------------------------------------------------------------------+ SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg) +------------------------------------------------------------------+ -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org To contact the owner, e-mail: zypp-devel+owner@opensuse.org