Bug ID 1176818
Summary Wrong public keys in openSUSE-build-key for verifying container image signatures
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Basesystem
Assignee meissner@suse.com
Reporter rhafer@suse.com
QA Contact qa-bugs@suse.de
CC sgrunert@suse.com
Found By ---
Blocker --- 

The openSUSE-build-keys package contains
/usr/lib/rpm/gnupg/keys/opensuse-container-key.asc and
/usr/lib/rpm/gnupg/keys/suse-container-key.asc which symlink to the "openSUSE
Project Signing Key <opensuse@opensuse.org>" and "SuSE Package Signing Key
<build@suse.de>" but apparently the images we provide on registry.opensuse.org
are signed by some other key.

When enabling signature verification for "registry.opensuse.org" using the key
"/usr/lib/rpm/gnupg/keys/opensuse-container-key.asc" all images fail to verify
because the images are signed with a different key. Looking into the
signatures, which are fetched from "https://registry.opensuse.org/sigstore/" it
seem the images are signed by a key with the ID "D754694F9AB48CE9".

The key in /usr/lib/rpm/gnupg/keys/opensuse-container-key.asc however AFAICS
is: "B88B2FD43DBDC284".

So something is wrong here.

You are receiving this mail because: