https://bugzilla.suse.com/show_bug.cgi?id=1176818 Bug ID: 1176818 Summary: Wrong public keys in openSUSE-build-key for verifying container image signatures Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: meissner@suse.com Reporter: rhafer@suse.com QA Contact: qa-bugs@suse.de CC: sgrunert@suse.com Found By: --- Blocker: --- The openSUSE-build-keys package contains /usr/lib/rpm/gnupg/keys/opensuse-container-key.asc and /usr/lib/rpm/gnupg/keys/suse-container-key.asc which symlink to the "openSUSE Project Signing Key <opensuse@opensuse.org>" and "SuSE Package Signing Key <build@suse.de>" but apparently the images we provide on registry.opensuse.org are signed by some other key. When enabling signature verification for "registry.opensuse.org" using the key "/usr/lib/rpm/gnupg/keys/opensuse-container-key.asc" all images fail to verify because the images are signed with a different key. Looking into the signatures, which are fetched from "https://registry.opensuse.org/sigstore/" it seem the images are signed by a key with the ID "D754694F9AB48CE9". The key in /usr/lib/rpm/gnupg/keys/opensuse-container-key.asc however AFAICS is: "B88B2FD43DBDC284". So something is wrong here. -- You are receiving this mail because: You are on the CC list for the bug.