[Bug 1224292] New: SUMA has a problem with an old key next to a new one in 15.6
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1224292
Bug ID: 1224292
Summary: SUMA has a problem with an old key next to a new one
in 15.6
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 15.6
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
Assignee: security-team@suse.de
Reporter: lubos.kocman@suse.com
QA Contact: qa-bugs@suse.de
Target Milestone: ---
Found By: ---
Blocker: ---
From Michael Calmer
there is a problem with the 15.6 repo metadata:
repomd.xml is signed, but not with the "repomd.xml.key"
$> gpg --keyid-format=long --show-keys --with-fingerprint repomd.xml.key
pub rsa2048/B88B2FD43DBDC284 2008-11-07 [SC] [expired: 2024-05-02]
Key fingerprint = 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
uid openSUSE Project Signing Key
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1224292
Lubos Kocman
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1224292
https://bugzilla.suse.com/show_bug.cgi?id=1224292#c1
Marcus Meissner
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1224292
https://bugzilla.suse.com/show_bug.cgi?id=1224292#c2
--- Comment #2 from Adrian Schröter
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1224292
Max Lin
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1224292
https://bugzilla.suse.com/show_bug.cgi?id=1224292#c3
--- Comment #3 from Max Lin
hm, the key is configured, but the public key file was missing on our main backend.
Please try a rebuild for verification.
that is Build695.1 and Build696.2 FYI -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1224292
https://bugzilla.suse.com/show_bug.cgi?id=1224292#c4
Lubos Kocman
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1224292
https://bugzilla.suse.com/show_bug.cgi?id=1224292#c5
Michael Calmer
GET /distribution/leap/15.6/repo/oss/repodata/repomd.xml.key HTTP/2 Host: download.opensuse.org user-agent: curl/8.0.1 accept: */* ... < HTTP/2 200 < date: Thu, 16 May 2024 11:20:56 GMT < server: Mojolicious (Perl) < cache-control: public, max-age=231 < content-disposition: inline;filename="repomd.xml.key" < content-length: 988
Content Length of 988 is the length of the old key. The new one should have more than 1024 It also does not look like it is using a mirror. No idea what happens -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1224292
https://bugzilla.suse.com/show_bug.cgi?id=1224292#c6
--- Comment #6 from Michael Calmer
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1224292
https://bugzilla.suse.com/show_bug.cgi?id=1224292#c7
--- Comment #7 from Max Lin
Michael can you please confirm that issue is fixed for your team?
we need to publish Build696.2(with newer repo metadata has uploaded to d.o.o) in case SUMA team be able to verify it with SUSE manager or uyuni... without a publishing, the alternative options are autobuild might can verify it on build service, or do a verification on https://openqa.opensuse.org/assets/repo/openSUSE-Leap-15.6-oss-Build696.2 (the asset repo on openqa has newer repodata). -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1224292
https://bugzilla.suse.com/show_bug.cgi?id=1224292#c8
--- Comment #8 from Max Lin
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1224292
https://bugzilla.suse.com/show_bug.cgi?id=1224292#c9
Adrian Schröter
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1224292
https://bugzilla.suse.com/show_bug.cgi?id=1224292#c10
Michael Calmer
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1224292
https://bugzilla.suse.com/show_bug.cgi?id=1224292#c11
--- Comment #11 from Michael Calmer
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1224292
https://bugzilla.suse.com/show_bug.cgi?id=1224292#c12
Marcus Meissner
participants (1)
-
bugzilla_noreply@suse.com