Bug ID 1188488
Summary Signature verification failed for repomd.xml
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware x86-64
OS openSUSE Tumbleweed
Status NEW
Severity Normal
Priority P5 - None
Component Other
Assignee screening-team-bugs@suse.de
Reporter jimc@jfcarter.net
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

This was all happening on 2021-07-19 around 16:00 -0700.  Servers are
north of me in the same timezone.  I have OpenSuSE Tumbleweed, last
updated on 2021-07-14, and zypper-1.14.46-1.1.x86_64 .

Due to mirror problems (reported separately) I edited 
/etc/zypp/repos.d/download.opensuse.org-oss.repo and also non-oss
to use a specific mirror.  Specifically, 
baseurl=http://sjc.edge.kernel.org/opensuse/tumbleweed/repo/oss/?proxy=http://distro.cft.ca.us:3128
and similarly for non-oss.  The behavior is the same with my proxy
running normally, with the cache cleared (rm -r), or with the proxy
removed from the baseurl.  The controls that define when Squid has to
do a HEAD at the origin server go like this: (columns are 
"refresh_pattern" keyword, regexp matching the filename, minimum age
(in minutes, omit HEAD if file is younger), fraction of age to believe 
HEAD, maximum age (always do HEAD if the file is older).  

# RPM files are never updated; be loose on this.  
refresh_pattern \.rpm$          5       20%     60
# Metadata files change unexpectedly.  
refresh_pattern \.xml\.gz       0       5%      60
refresh_pattern /repomd\.xml    0       5%      60
# This is the system default.  
refresh_pattern .               0       20%     4320

So I'm not taking seriously possible issues with the proxy.  

Now for the observed behavior.  After switching to the mirror
sjc.edge.kernel.org I did "zypper refresh --force".  I'm showing the
outcome for the oss repo but non-oss behaved identically.  

Retrieving repository 'Tumbleweed Main Repository (OSS)' metadata [.
Signature verification failed for file 'repomd.xml' from repository 
    'Tumbleweed Main Repository (OSS)'... (omitted long warning message)
    Continue? [yes/no] (no): no
Repository 'Tumbleweed Main Repository (OSS)' is invalid.
[download.opensuse.org-oss|http://sjc.edge.kernel.org/opensuse/tumbleweed/repo/oss/?proxy=http://distro.cft.ca.us:3128] 
    Valid metadata not found at specified URL

Right after that I downloaded repomd.xml and repomd.xml.asc and verified
the signature myself -- successfully!  Here are the command lines and
the output from gpg (URL folded to fit on the page):

wget -O sjc-oss-repomd.xml http://sjc.edge.kernel.org/opensuse/\
tumbleweed/repo/oss/repodata/repomd.xml
wget -O sjc-oss-repomd.xml.asc http://sjc.edge.kernel.org/opensuse/\
tumbleweed/repo/oss/repodata/repomd.xml.asc
gpg --verify sjc-oss-repomd.xml.asc sjc-oss-repomd.xml
gpg: Signature made Sat 17 Jul 2021 10:02:00 AM PDT
gpg:                using RSA key B88B2FD43DBDC284
gpg: Good signature from "openSUSE Project Signing 
        Key <opensuse@opensuse.org>" [full]

After making no progress diagnosing the issue (e.g. interventions with
the proxy didn't help), I went for dinner, and retried "zypper refresh
--force" at about 21:00. This time the oss and non-oss repos' repomd.xml
signature was acceptable.  In fact, the files had changed on the mirror;
here, files with the A suffix are from the 21:00 retry.

-rw-r--r-- 1 root root 10148 Jul 18 03:37 sjc-A-oss-repomd.xml
-rw-r--r-- 1 root root   481 Jul 18 04:09 sjc-A-oss-repomd.xml.asc
-rw-r--r-- 1 root root 10148 Jul 17 09:31 sjc-oss-repomd.xml
-rw-r--r-- 1 root root   481 Jul 17 10:02 sjc-oss-repomd.xml.asc

The files differ (as do the checksums of the dependent files), which
is not surprising for a revision posted about 1 day later.  

So I'm back on the air for "patch Tuesday", but it looks like there
are a lot of opportunities for version skew.  Maybe you can think of
some kind of procedure change that could make this kind of thing less
likely.

You are receiving this mail because: