http://bugzilla.opensuse.org/show_bug.cgi?id=906589 Bug ID: 906589 Summary: multiple repos repeatedly/frequently reporting "signed with an unknown key" Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: All OS: All Status: NEW Severity: Normal Priority: P5 - None Component: Infrastructure Assignee: mrueckert@suse.com Reporter: grantksupport@operamail.com QA Contact: lrupp@suse.com Found By: --- Blocker: --- We've upgraded all our opensuse instances to 13.2; currently several hundred across multiple sites. As we're doing post-upgrade cleanups, etc, on `zypper *` we're seeing LOTS of 'unknown key' messages for/from repositories, for example, @ refresh, zypper -v ref Verbosity: 1 Initializing Target Specified repositories: Checking whether to refresh metadata for Backup Retrieving: repomd.xml ................................................................................................................................................................................................................[done] Repository 'Backup' is up to date. Checking whether to refresh metadata for BaseSystem Retrieving: repomd.xml ................................................................................................................................................................................................................[done] Retrieving: repomd.xml ................................................................................................................................................................................................................[done] Retrieving: repomd.xml.asc ............................................................................................................................................................................................................[done] Retrieving: repomd.xml.key ............................................................................................................................................................................................................[done] Retrieving: repomd.xml ................................................................................................................................................................................................................[done] File 'repomd.xml' from repository 'BaseSystem' is signed with an unknown key '88EB5D66E2C0098C'. Continue? [yes/no] (no): That ^^^ is just ONE example; most, if not yet all, enabled repos have returned this error at least once recently -- typically more often. This is NEW/CHANGED behavior. We're not alone -- we're hearing about this from multiple clients, and are bumping into similar issues/comments/questions online, in IRC, etc. This is happening for a broad variety of repos -- home: repos, 'semi-official' repos, *AND* official release/distribution repos. In any one run, there can be none-to-many repos that return the "signed with an unknown key" And, it's happening repeatedly & frequently. If I force clean up zypper clean --all rpm -qa | grep gpg-pubkey | xargs rpm -e zypper -vvv --gpg-auto-import-keys --no-gpg-checks ref --force then, an IMMEDIATELY subsequent `ref` or `dup`, of course, has no issues with unknown keys -- until "some time later". After a seemingly random amount of time -- just minutes to hours -- re-exec of the zypper cmd gets another mix of "unknown key" reports. For the example above, cat /etc/zypp/repos.d/BaseSystem.repo [BaseSystem] name=BaseSystem enabled=1 autorefresh=1 baseurl=http://download.opensuse.org/repositories/Base:/System/openSUSE_13.2 gpgcheck=1 keeppackages=0 priority=30 type=rpm-md Checking @ http://download.opensuse.org/repositories/Base:/System/openSUSE_13.2/repodat... Index of /repositories/Base:/System/openSUSE_13.2/repodata Icon Name Last modified Size [DIR] Parent Directory - [ ] 0ebcac183295ce4d1fde2c8f614bbe0fc481804c7948418a9ac0613ad16a5efe-primary.xml.gz 20-Nov-2014 14:48 23K Details [ ] 488fb3091c6e475a247d1b10a6035dafb05519f9fbd6ddaa5265c2826517b5d0-other.xml.gz 20-Nov-2014 14:48 25K Details [ ] d5fc3d48a3aa46cf156ac47421ec3d979ba0d7849fc503437701384455726e4b-filelists.xml.gz 20-Nov-2014 14:48 47K Details [TXT] repomd.xml 20-Nov-2014 14:48 1.6K Details [ ] repomd.xml.asc 20-Nov-2014 14:48 481 Details [ ] repomd.xml.key 20-Nov-2014 14:48 1.1K Details Apache/2.2.12 (Linux/SUSE) Server at download.opensuse.org Port 80 MirrorBrain powered by Apache it's clear there's a recent "Last Modified" change to the repodata ... I do not yet know if there ae ACTUAL changes, or only timestamps are changing. At first glance, it appears that with each change to the repo's content -- specifically the filelists -- the ENTIRE file content of the /repodata dir is being re-timestamped. Including the repomd.xml.key ... which would be ONE cause of the "unkonwn key" issue. It's *possible* that multiple repos have been compromised, and that blackhats are changing keys at will -- but I *seriously* doubt it; pls correct me if I'm wrong. (1) Why are multiple repos' keys changing so frequently -- even for the same repo, sometimes multiple times within a day or so? (2) There appears to be no mechanism/source for VALIDATING the new/updated keys from within a zypper command -- That's a potential security issue. How are keys to be validated? -- You are receiving this mail because: You are on the CC list for the bug.