[Bug 1008325] New: Zypp fails to handle repositories signed with a GPG subkey
http://bugzilla.suse.com/show_bug.cgi?id=1008325 Bug ID: 1008325 Summary: Zypp fails to handle repositories signed with a GPG subkey Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: libzypp Assignee: zypp-maintainers@forge.provo.novell.com Reporter: ma@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- [posted on zypp-devel]
I was confused earlier today when trying to add a GPG-signed rpm-md type repository to my system. I noticed that zypper was listing the repository as not being signed. zypper refresh was telling me that the repository was signed with an unknown key and zypper lr was listing the repository as not supporting repo_gpgcheck.
After some digging around the libzypper source (14.43.0) on my system (openSUSE 13.2) I believe I've tracked down the issue.
The call to publicKeyExists in KeyRing::Impl::verifyFileSignatureWorkflow checks if the repomd.xml.asc signature's key ID is known. If the repomd.xml.asc was signed with a subkey of a GPG key (instead of a primary key), this check will fail even though the call to VerifyFile would succeed.
Not sure what the best solution is for zypper, but one potential solution would be to simply ask GPG to verify the signature using the general keyring without first checking if a matching key id is in the keyring. The logic in verifyFileSignatureWorkflow can then be simplified as GPG would figure out if there's a matching key and this issue would be avoided.
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1008325
http://bugzilla.suse.com/show_bug.cgi?id=1008325#c1
Dave Corrie
http://bugzilla.suse.com/show_bug.cgi?id=1008325
http://bugzilla.suse.com/show_bug.cgi?id=1008325#c2
--- Comment #2 from Dave Corrie
http://bugzilla.suse.com/show_bug.cgi?id=1008325
http://bugzilla.suse.com/show_bug.cgi?id=1008325#c3
--- Comment #3 from Dave Corrie
http://bugzilla.suse.com/show_bug.cgi?id=1008325
Stefan Behlert
http://bugzilla.suse.com/show_bug.cgi?id=1008325
Michael Andres
http://bugzilla.suse.com/show_bug.cgi?id=1008325
kolA flash
http://bugzilla.suse.com/show_bug.cgi?id=1008325
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1008325
http://bugzilla.suse.com/show_bug.cgi?id=1008325#c18
Michael Andres
http://bugzilla.suse.com/show_bug.cgi?id=1008325
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1008325
http://bugzilla.suse.com/show_bug.cgi?id=1008325#c20
--- Comment #20 from Michael Andres
http://bugzilla.suse.com/show_bug.cgi?id=1008325
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1008325
http://bugzilla.suse.com/show_bug.cgi?id=1008325#c21
--- Comment #21 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1008325
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1008325
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1008325
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1008325
http://bugzilla.suse.com/show_bug.cgi?id=1008325#c23
--- Comment #23 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1008325
http://bugzilla.suse.com/show_bug.cgi?id=1008325#c26
--- Comment #26 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1008325
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1008325
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1008325
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1008325
http://bugzilla.suse.com/show_bug.cgi?id=1008325#c28
--- Comment #28 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1008325
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1008325
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1008325
http://bugzilla.suse.com/show_bug.cgi?id=1008325#c29
--- Comment #29 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1008325
http://bugzilla.suse.com/show_bug.cgi?id=1008325#c31
--- Comment #31 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1008325
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1008325
http://bugzilla.suse.com/show_bug.cgi?id=1008325#c32
Christos Varelas
http://bugzilla.suse.com/show_bug.cgi?id=1008325
http://bugzilla.suse.com/show_bug.cgi?id=1008325#c33
Michael Andres
root@fibonacci:~ (4) $ zypper -v ref google-chrome-stable Verbosity: 1 ... Checking whether to refresh metadata for google-chrome-stable Retrieving: repomd.xml.asc ..................[done] Retrieving: repomd.xml.key .............[not found] Retrieving: repomd.xml ......................[done] Warning: File 'repomd.xml' from repository 'google-chrome-stable' is signed with an unknown key '1397BC53640DB551'.
The repo provides no .key file, so the message is right. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1008325
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1008325
http://bugzilla.suse.com/show_bug.cgi?id=1008325#c34
--- Comment #34 from Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com