On Thu, Apr 29, 2021 at 04:20:33PM +0200, cagsm wrote:
On Thu, Apr 29, 2021 at 3:36 PM Michal Suchánek
wrote: No, as it is zypper downloads the rpm packages which are verified by the repository index. Because the rpm packages come from multiple repositories signed by different keys rpm then complains about packages signed by keys not imported into the rpm database. The 'solution' is typical for how SUSE handles software distribution. The keys will be added to the repository but will not by verified by the index. Zypper will ask you to import the keys without any verification whatsoever. If you say yes the warning will be gone but your system will be potentailly compromised because no method of verification for these new signing keys is provided.
dont really understand this answer. bottom line: the zypper dup yesterday, did a completely unverified easily man-in-the-middle-attack-able upgrade of the previously fine 15.2 system. is this assumption correct?
There are two verifications - by zypper and by rpm. You get warning from rpm but the package should have been verified by zypper anyway. HTH Michal