http://bugzilla.opensuse.org/show_bug.cgi?id=1188488 Bug ID: 1188488 Summary: Signature verification failed for repomd.xml Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: screening-team-bugs@suse.de Reporter: jimc@jfcarter.net QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- This was all happening on 2021-07-19 around 16:00 -0700. Servers are north of me in the same timezone. I have OpenSuSE Tumbleweed, last updated on 2021-07-14, and zypper-1.14.46-1.1.x86_64 . Due to mirror problems (reported separately) I edited /etc/zypp/repos.d/download.opensuse.org-oss.repo and also non-oss to use a specific mirror. Specifically, baseurl=http://sjc.edge.kernel.org/opensuse/tumbleweed/repo/oss/?proxy=http://distro... and similarly for non-oss. The behavior is the same with my proxy running normally, with the cache cleared (rm -r), or with the proxy removed from the baseurl. The controls that define when Squid has to do a HEAD at the origin server go like this: (columns are "refresh_pattern" keyword, regexp matching the filename, minimum age (in minutes, omit HEAD if file is younger), fraction of age to believe HEAD, maximum age (always do HEAD if the file is older). # RPM files are never updated; be loose on this. refresh_pattern \.rpm$ 5 20% 60 # Metadata files change unexpectedly. refresh_pattern \.xml\.gz 0 5% 60 refresh_pattern /repomd\.xml 0 5% 60 # This is the system default. refresh_pattern . 0 20% 4320 So I'm not taking seriously possible issues with the proxy. Now for the observed behavior. After switching to the mirror sjc.edge.kernel.org I did "zypper refresh --force". I'm showing the outcome for the oss repo but non-oss behaved identically. Retrieving repository 'Tumbleweed Main Repository (OSS)' metadata [. Signature verification failed for file 'repomd.xml' from repository 'Tumbleweed Main Repository (OSS)'... (omitted long warning message) Continue? [yes/no] (no): no Repository 'Tumbleweed Main Repository (OSS)' is invalid. [download.opensuse.org-oss|http://sjc.edge.kernel.org/opensuse/tumbleweed/repo/oss/?proxy=http://distro...] Valid metadata not found at specified URL Right after that I downloaded repomd.xml and repomd.xml.asc and verified the signature myself -- successfully! Here are the command lines and the output from gpg (URL folded to fit on the page): wget -O sjc-oss-repomd.xml http://sjc.edge.kernel.org/opensuse/\ tumbleweed/repo/oss/repodata/repomd.xml wget -O sjc-oss-repomd.xml.asc http://sjc.edge.kernel.org/opensuse/\ tumbleweed/repo/oss/repodata/repomd.xml.asc gpg --verify sjc-oss-repomd.xml.asc sjc-oss-repomd.xml gpg: Signature made Sat 17 Jul 2021 10:02:00 AM PDT gpg: using RSA key B88B2FD43DBDC284 gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>" [full] After making no progress diagnosing the issue (e.g. interventions with the proxy didn't help), I went for dinner, and retried "zypper refresh --force" at about 21:00. This time the oss and non-oss repos' repomd.xml signature was acceptable. In fact, the files had changed on the mirror; here, files with the A suffix are from the 21:00 retry. -rw-r--r-- 1 root root 10148 Jul 18 03:37 sjc-A-oss-repomd.xml -rw-r--r-- 1 root root 481 Jul 18 04:09 sjc-A-oss-repomd.xml.asc -rw-r--r-- 1 root root 10148 Jul 17 09:31 sjc-oss-repomd.xml -rw-r--r-- 1 root root 481 Jul 17 10:02 sjc-oss-repomd.xml.asc The files differ (as do the checksums of the dependent files), which is not surprising for a revision posted about 1 day later. So I'm back on the air for "patch Tuesday", but it looks like there are a lot of opportunities for version skew. Maybe you can think of some kind of procedure change that could make this kind of thing less likely. -- You are receiving this mail because: You are on the CC list for the bug.