Bug ID 1130292
Summary After fresh install of Leap 15 can not apply patches zypper provides packages with wrong check sums
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.0
Hardware 64bit
OS Other
Status NEW
Severity Critical
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter kiv@mail.orbitel.bg
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

Created attachment 801023 [details]
Screen shot with the error message during a try to download the current patches

After fresh install of openSUSE Leap 15.0 from today I can not apply the
packages updates. I have got a message window where is stated that:
"The software is not from a trusted source. Do not update packages unless you
are sure it is safe to do so".
Please see the attached here screen shot.
Also I can not install any software from zypper.
Also trying to install for example openvpn, I have got following:
# zypper in openvpn
Loading repository data...
Reading installed packages...
Resolving package dependencies...

The following package is going to be upgraded:
  openvpn

1 package to upgrade.
Overall download size: 562,0 KiB. Already cached: 0 B. No additional
space will be used or freed after the operation.
Continue? [y/n/...? shows all options] (y): 
Retrieving package openvpn-2.4.3-lp150.3.3.1.x86_64
                               (1/1), 562,0 KiB (  1,3 MiB unpacked)
Retrieving delta: ./x86_64/openvpn-2.4.3-lp150.2.10_lp150.3.3.1.x86_64.drpm,
45,5 KiB
Retrieving: openvpn-2.4.3-lp150.2.10_lp150.3.3.1.x86[done (402 B/s)]

Warning: Digest verification failed for file
'openvpn-2.4.3-lp150.2.10_lp150.3.3.1.x86_64.drpm'
[/var/cache/zypp/packages/repo-update/x86_64/openvpn-2.4.3-lp150.2.10_lp150.3.3.1.x86_64.drpm]

  expected 7a363f8c181d7ef2d4d8ecf3fc1935f695729f48d1fbac24af737d145cc35f0a
  but got  1574ad2d6e2bab21ebfa88c314fa9a0ac5b5ba87301bea4f1c53fd517e755db8

Accepting packages with wrong checksums can lead to a corrupted system and in
extreme cases even to a system compromise.

However if you made certain that the file with checksum '1574..' is secure,
correct
and should be used within this operation, enter the first 4 characters of the
checksum
to unblock using this file on your own risk. Empty input will discard the file.

Unblock or discard? [1574/...? shows all options] (discard):

Can we expect that last night the openSUSE Lep repository get hacked?
Or maybe some thing wrong happened in the production of the patches?

If in realty there is a security bridge in the repository as it looks like,
please check this this issue and please possibly recover the repositories to
its initial stable and secure state as users are expecting.

You are receiving this mail because: