15.2 to 15.3 dup, endless nokey additional rpm info, keys missing? 39517xxxxxx and 65176565xxxx - openSUSE Factory - openSUSE Mailing Lists

newer
15.3: updated packages without...

15.2 to 15.3 dup, endless nokey additional rpm info, keys missing? 39517xxxxxx and 65176565xxxx

older
packagekit icon has issue showing...

cagsm

28 Apr 2021 28 Apr '21

17:24

hi list, 15.2 to 15.3 dup, endless nokey additional rpm info, keys missing? 39517xxxxxx and 65176565xxxx something like that. is this the way dup goes? did dup according to upgrade instructions on wiki ty

Reply

Sign in to reply online Use email software

Show replies by date

Axel Braun

28 Apr 28 Apr

18:10

Hello cagsm, Am Mittwoch, 28. April 2021, 19:24:08 CEST schrieb cagsm:

15.2 to 15.3 dup, endless nokey additional rpm info, keys missing? 39517xxxxxx and 65176565xxxx

something like that. is this the way dup goes? did dup according to upgrade instructions on wiki

Was the Leap 15.2 system fully up-to-date before you started the upgrade? Actually, I dod not see this issue during my upgade tests.... Cheers Axel

Reply

Sign in to reply online Use email software

cagsm

19:56

On Wed, Apr 28, 2021 at 8:10 PM Axel Braun wrote:

...
15.2 to 15.3 dup, endless nokey additional rpm info, keys missing? 39517xxxxxx and 65176565xxxx something like that. is this the way dup goes? did dup according to upgrade instructions on wiki Was the Leap 15.2 system fully up-to-date before you started the upgrade? Actually, I dod not see this issue during my upgade tests....

yes of course. leap 15.2 most current. all updates patches as of today applied. then via command zypper --releasever=15.3 dup --download-in-advance seemingly with every rpm applied, those signature version v3/sha256 and key id xxxxx messages were printed amongst other messages every now and then according to the package applied will see how this unfolds when i boot the machine. ty.

Reply

Sign in to reply online Use email software

cagsm

21:05

apparently, the missing key on the whole internet (only checked pgp.mit.edu and some open keyservers though) is 0x9c214d4065176565 for example the welcome open suse ahoy fun application is signed by it. what gives? who provides that key and from where? why isnt it included during the dup? why isnt it included anywhere? p.s. searchengine finds something here though: https://build.opensuse.org/project/keys_and_certificates/openSUSE:Backports:... is this fixworthy?

Reply

Sign in to reply online Use email software

cagsm

21:10

On Wed, Apr 28, 2021 at 11:05 PM cagsm wrote:

apparently, the missing key on the whole internet (only checked pgp.mit.edu and some open keyservers though) p.s. searchengine finds something here though:

google finds 3 (three) hits on the internet as whole ;( http://web.archive.org/web/20210428210742/https://www.google.com/search?hl=en&q=9c214d4065176565

Reply

Sign in to reply online Use email software

Carlos E. R.

21:13

On 28/04/2021 23.05, cagsm wrote:

apparently, the missing key on the whole internet (only checked pgp.mit.edu and some open keyservers though)

is

0x9c214d4065176565

for example the welcome open suse ahoy fun application is signed by it. what gives? who provides that key and from where? why isnt it included during the dup? why isnt it included anywhere?

Bugzilla. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)

Reply

Sign in to reply online Use email software

dieter

29 Apr 29 Apr

06:51

On Wed, 28 Apr 2021 23:05:42 +0200 cagsm wrote:

apparently, the missing key on the whole internet (only checked pgp.mit.edu and some open keyservers though)

is

0x9c214d4065176565

for example the welcome open suse ahoy fun application is signed by it. what gives? who provides that key and from where? why isnt it included during the dup? why isnt it included anywhere?

p.s. searchengine finds something here though: https://build.opensuse.org/project/keys_and_certificates/openSUSE:Backports:...

is this fixworthy? There exists a bug for it: https://bugzilla.opensuse.org/show_bug.cgi?id=1184326

In the bug is also documented where the missing keys can be found for manual import as workaround. And how to configure zypper or the repo settings so that unverified RPMs are not installed. Regards, Dieter

Reply

Sign in to reply online Use email software

cagsm

13:26

On Thu, Apr 29, 2021 at 8:52 AM dieter wrote:

There exists a bug for it: https://bugzilla.opensuse.org/show_bug.cgi?id=1184326

Okay thank you lot for pointing to this bug. Wondering now though, if my system is theoretically or in the actual sense completely compromised for real or virtually. I observed the dup process. I checked with lsof what the zypper was doing, and I have seen lsof | grep zypper a lot of network entries, where it connected to those mirror brained servers but via http, the ip address or hostname and the :80 (http) at the end of the line was given, to the service (webserver) the zypper conntected and fetched all those rpm files. So when the whole dup process, for i would bet, each and every rpm it fetched, printed out those missing key error lines and entries, then the dup process could have fetched "god" knows what kind of bits, thus totally compromising this system here. When this bug report exists like in the beginning of April, how can suse folks push a piece of software with the attribute "release candidate" with such a serious security issue? Should I abandon this machine and start from scratch? how can this be of RC grade at all for such essential security related things going so wrong? Am I only imagining things or exaggerating? Or is this a real attack vector and real fail of the software developers? I feel seriously disappointed and let down in these situations. Dont want to offend anyone personally, but in my opinion i want to "attack" the technical roles and stake holders if this turns out to be true. I seriously dislike the situations when having this much power and responsibility and releasing this kind of situation on the public. ty.

Reply

Sign in to reply online Use email software

Michal Suchánek

13:36

On Thu, Apr 29, 2021 at 03:26:34PM +0200, cagsm wrote:

On Thu, Apr 29, 2021 at 8:52 AM dieter wrote:

...
There exists a bug for it: https://bugzilla.opensuse.org/show_bug.cgi?id=1184326

Okay thank you lot for pointing to this bug. Wondering now though, if my system is theoretically or in the actual sense completely compromised for real or virtually. I observed the dup process. I checked with lsof what the zypper was doing, and I have seen lsof | grep zypper a lot of network entries, where it connected to those mirror brained servers but via http, the ip address or hostname and the :80 (http) at the end of the line was given, to the service (webserver) the zypper conntected and fetched all those rpm files.

No, as it is zypper downloads the rpm packages which are verified by the repository index. Because the rpm packages come from multiple repositories signed by different keys rpm then complains about packages signed by keys not imported into the rpm database. The 'solution' is typical for how SUSE handles software distribution. The keys will be added to the repository but will not by verified by the index. Zypper will ask you to import the keys without any verification whatsoever. If you say yes the warning will be gone but your system will be potentailly compromised because no method of verification for these new signing keys is provided. Thanks Michal

Reply

Sign in to reply online Use email software

Manfred Schwarb

14:02

Am 29.04.21 um 15:36 schrieb Michal Suchánek:

On Thu, Apr 29, 2021 at 03:26:34PM +0200, cagsm wrote:

...
On Thu, Apr 29, 2021 at 8:52 AM dieter wrote:

...
There exists a bug for it: https://bugzilla.opensuse.org/show_bug.cgi?id=1184326

Okay thank you lot for pointing to this bug. Wondering now though, if my system is theoretically or in the actual sense completely compromised for real or virtually. I observed the dup process. I checked with lsof what the zypper was doing, and I have seen lsof | grep zypper a lot of network entries, where it connected to those mirror brained servers but via http, the ip address or hostname and the :80 (http) at the end of the line was given, to the service (webserver) the zypper conntected and fetched all those rpm files.

The repositories in /etc/zypp/repos.d should really contain "baseurl=" entries with an encrypted protocol, i.e. https:// instead of http:// _per default_. It is of course easy to change that manually, after the event. But I guess nobody remembers to do so. Most mirrors support https, and the ones not doing so should simply be dropped. Cheers, Manfred

Reply

Sign in to reply online Use email software

Michal Suchánek

14:14

On Thu, Apr 29, 2021 at 04:02:35PM +0200, Manfred Schwarb wrote:

Am 29.04.21 um 15:36 schrieb Michal Suchánek:

...
On Thu, Apr 29, 2021 at 03:26:34PM +0200, cagsm wrote:

...
On Thu, Apr 29, 2021 at 8:52 AM dieter wrote:

...
There exists a bug for it: https://bugzilla.opensuse.org/show_bug.cgi?id=1184326

Okay thank you lot for pointing to this bug. Wondering now though, if my system is theoretically or in the actual sense completely compromised for real or virtually. I observed the dup process. I checked with lsof what the zypper was doing, and I have seen lsof | grep zypper a lot of network entries, where it connected to those mirror brained servers but via http, the ip address or hostname and the :80 (http) at the end of the line was given, to the service (webserver) the zypper conntected and fetched all those rpm files.

The repositories in /etc/zypp/repos.d should really contain "baseurl=" entries with an encrypted protocol, i.e. https:// instead of http:// _per default_.

It is of course easy to change that manually, after the event. But I guess nobody remembers to do so. Most mirrors support https, and the ones not doing so should simply be dropped.

It's not about mirrors supporting https. Anyone can create a web site that supports https and place some packages on it. You need to be able to verify the origin of the package. Thanks Michal

Reply

Sign in to reply online Use email software

Andrei Borzenkov

14:23

On Thu, Apr 29, 2021 at 5:02 PM Manfred Schwarb wrote:

The repositories in /etc/zypp/repos.d should really contain "baseurl=" entries with an encrypted protocol, i.e. https:// instead of http:// _per default_.

It is of course easy to change that manually, after the event. But I guess nobody remembers to do so. Most mirrors support https, and the ones not doing so should simply be dropped.

I count exactly three TW mirrors with https. This is far less than "most".

Reply

Sign in to reply online Use email software

Per Jessen

18:24

Andrei Borzenkov wrote:

On Thu, Apr 29, 2021 at 5:02 PM Manfred Schwarb wrote:

...
The repositories in /etc/zypp/repos.d should really contain "baseurl=" entries with an encrypted protocol, i.e. https:// instead of http:// _per default_.

It is of course easy to change that manually, after the event. But I guess nobody remembers to do so. Most mirrors support https, and the ones not doing so should simply be dropped.

I count exactly three TW mirrors with https. This is far less than "most".

Yeah. Not forgetting that mirrorbrain does not support https. -- Per Jessen, Zürich (11.6°C) Member, openSUSE Heroes

Reply

Sign in to reply online Use email software

cagsm

14:20

On Thu, Apr 29, 2021 at 3:36 PM Michal Suchánek wrote:

No, as it is zypper downloads the rpm packages which are verified by the repository index. Because the rpm packages come from multiple repositories signed by different keys rpm then complains about packages signed by keys not imported into the rpm database. The 'solution' is typical for how SUSE handles software distribution. The keys will be added to the repository but will not by verified by the index. Zypper will ask you to import the keys without any verification whatsoever. If you say yes the warning will be gone but your system will be potentailly compromised because no method of verification for these new signing keys is provided.

dont really understand this answer. bottom line: the zypper dup yesterday, did a completely unverified easily man-in-the-middle-attack-able upgrade of the previously fine 15.2 system. is this assumption correct? from inside thise malicious 15.3 is there a mathematically sound way to re-evaluate all the currently installed packages and (re-)verify them with the (hopefully?) installed keys that it complained about during the dup? how would I verify all the installed bits and pieces and rpm files from inside 15.3 rc? also in that bug I read about libzypp or something still needing to implement this upgrade scenario and missing keys and stuff. will this be available during GA release of 15.3 finaly situation? or what other workaround steps are mandatory at the moment such as: manually fetching gpg keys from somewhere, importing them, and only zypper dup after those additional steps? shouldnt this be put up into https://en.opensuse.org/SDB:System_upgrade pretty much immediately notifying people about this serious security issue when coming from a safe and secure 15.2 and dup-ing to 15.3 rc? am I the only one worried by the current situation? is this perfectly normal for all the involved suse staff, developers, maintainers, admins etc? ty.

Reply

Sign in to reply online Use email software

Michal Suchánek

14:28

On Thu, Apr 29, 2021 at 04:20:33PM +0200, cagsm wrote:

On Thu, Apr 29, 2021 at 3:36 PM Michal Suchánek wrote:

...
No, as it is zypper downloads the rpm packages which are verified by the repository index. Because the rpm packages come from multiple repositories signed by different keys rpm then complains about packages signed by keys not imported into the rpm database. The 'solution' is typical for how SUSE handles software distribution. The keys will be added to the repository but will not by verified by the index. Zypper will ask you to import the keys without any verification whatsoever. If you say yes the warning will be gone but your system will be potentailly compromised because no method of verification for these new signing keys is provided.

dont really understand this answer. bottom line: the zypper dup yesterday, did a completely unverified easily man-in-the-middle-attack-able upgrade of the previously fine 15.2 system. is this assumption correct?

There are two verifications - by zypper and by rpm. You get warning from rpm but the package should have been verified by zypper anyway. HTH Michal

Reply

Sign in to reply online Use email software

cagsm

14:34

On Thu, Apr 29, 2021 at 4:28 PM Michal Suchánek wrote:

There are two verifications - by zypper and by rpm. You get warning from rpm but the package should have been verified by zypper anyway.

sorry list, I am not understand if I am compromised or not. I did a zypper dup with that releasever variable being set to 15.3 I did not skip over warnings that keys were missing or to be imported or what not. zypper dup asked me if i was okay with the release notes or legal stuff of suse llc and gpl2. and the second question it asked if i wanted to proceed with the 2000+ packages to be fetched, that summary. It then went on with downloading packages and working on them. Every package installing or updating printed those missing keys for the signature of the package line. What situation is my system in right now? have all those packages been installed without any proof whatsoever that they were legit and original packages bye suse llc? What do I need to do now? Am I imagining? ty.

Reply

Sign in to reply online Use email software

dieter

15:16

What situation is my system in right now? have all those packages been installed without any proof whatsoever that they were legit and original packages bye suse llc? What do I need to do now? Am I imagining? According to https://bugzilla.opensuse.org/show_bug.cgi?id=1184326#c1

On Thu, 29 Apr 2021 16:34:50 +0200 cagsm wrote: there are two layers of verification: 1) package checksum in the signed repository metadata checked by zypper 2) individual package signatures checked by rpm. step 1) was done successfully during the upgrade for each installed package, step 2) was skipped for the packages signed by the missing keys. This bugzilla comment also says "Nevertheless the system is secure:" My advice would be: before upgrading a critical system to a new version check the open bug reports for this version, especially when it is still in the RC phase and not released yet. Kind regards, Dieter

Reply

Sign in to reply online Use email software

cagsm

5 May 5 May

09:49

On Thu, Apr 29, 2021 at 5:17 PM dieter wrote:

On Thu, 29 Apr 2021 16:34:50 +0200 cagsm wrote:

...
What situation is my system in right now? have all those packages been installed without any proof whatsoever that they were legit and

thanks for all the replies here. Does this keys missing error supposed to be ongoing from inside the upgraded 15.3 system as well? had reasoned that once inside the 15.3 booted up, the keys would be available? today there were some 28 update packages, and they seem to all have lacked various signing keys? what mechanism will bring in these missing keys or hows this gonna be handled and fixed? ty ---------------- ( 1/28) Installing: libbellesip0-1.6.3-bp153.1.134.x86_64 .............................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/libbellesip0-1.6.3-bp153.1.134.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 65176565: NOKEY ( 2/28) Installing: libkolabxml1-1.1.6-bp153.1.116.x86_64 .............................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/libkolabxml1-1.1.6-bp153.1.116.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 65176565: NOKEY ( 3/28) Installing: libreoffice-branding-upstream-7.1.2.2-bp153.2.4.noarch ............................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/noarch/libreoffice-branding-upstream-7.1.2.2-bp153.2.4.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 65176565: NOKEY ( 4/28) Installing: libreoffice-icon-themes-7.1.2.2-bp153.2.4.noarch ..................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/noarch/libreoffice-icon-themes-7.1.2.2-bp153.2.4.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 65176565: NOKEY ( 5/28) Installing: libreoffice-l10n-en-7.1.2.2-bp153.2.4.noarch ......................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/noarch/libreoffice-l10n-en-7.1.2.2-bp153.2.4.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 65176565: NOKEY ( 6/28) Installing: maven-dependency-tree-3.0-bp153.1.128.noarch ......................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/noarch/maven-dependency-tree-3.0-bp153.1.128.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 65176565: NOKEY ( 7/28) Installing: maven-reporting-impl-3.0.0-bp153.1.132.noarch .....................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/noarch/maven-reporting-impl-3.0.0-bp153.1.132.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 65176565: NOKEY ( 8/28) Installing: openSUSE-release-ftp-15.3-lp153.124.1.x86_64 ......................................................................................................................................................[done] ( 9/28) Installing: pipewire-spa-tools-0.3.24-2.1.x86_64 ..............................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/pipewire-spa-tools-0.3.24-2.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (10/28) Installing: telepathy-mission-control-plugin-goa-3.12.14-bp153.1.26.x86_64 ....................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/telepathy-mission-control-plugin-goa-3.12.14-bp153.1.26.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 65176565: NOKEY (11/28) Installing: usbmuxd-1.1.0-10.1.x86_64 .........................................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/usbmuxd-1.1.0-10.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (12/28) Installing: wine-32bit-6.0-bp153.1.139.x86_64 .................................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/wine-32bit-6.0-bp153.1.139.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 65176565: NOKEY (13/28) Installing: yast2-network-4.3.67-1.1.noarch ...................................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/noarch/yast2-network-4.3.67-1.1.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (14/28) Installing: yast2-pkg-bindings-4.3.11-1.1.x86_64 ..............................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/yast2-pkg-bindings-4.3.11-1.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (15/28) Installing: yast2-trans-84.87.20210425.616915ed60-1.1.noarch ..................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/noarch/yast2-trans-84.87.20210425.616915ed60-1.1.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (16/28) Installing: maven-plugin-bundle-3.5.1-bp153.1.109.noarch ......................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/noarch/maven-plugin-bundle-3.5.1-bp153.1.109.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 65176565: NOKEY (17/28) Installing: openSUSE-release-15.3-lp153.124.1.x86_64 ..........................................................................................................................................................[done] (18/28) Installing: libpipewire-0_3-0-0.3.24-2.1.x86_64 ...............................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/libpipewire-0_3-0-0.3.24-2.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (19/28) Installing: wine-6.0-bp153.1.139.x86_64 .......................................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/wine-6.0-bp153.1.139.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 65176565: NOKEY (20/28) Installing: kernel-default-5.3.18-57.1.x86_64 .................................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/kernel-default-5.3.18-57.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (21/28) Installing: pipewire-tools-0.3.24-2.1.x86_64 ..................................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/pipewire-tools-0.3.24-2.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (22/28) Installing: kernel-default-extra-5.3.18-57.1.x86_64 ...........................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/kernel-default-extra-5.3.18-57.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (23/28) Installing: pipewire-spa-plugins-0_2-0.3.24-2.1.x86_64 ........................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/pipewire-spa-plugins-0_2-0.3.24-2.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (24/28) Installing: kernel-default-optional-5.3.18-57.1.x86_64 ........................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/kernel-default-optional-5.3.18-57.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (25/28) Installing: pipewire-modules-0.3.24-2.1.x86_64 ................................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/pipewire-modules-0.3.24-2.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (26/28) Installing: pipewire-0.3.24-2.1.x86_64 ........................................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/pipewire-0.3.24-2.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (27/28) Installing: pipewire-lang-0.3.24-2.1.noarch ...................................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/noarch/pipewire-lang-0.3.24-2.1.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (28/28) Installing: chromium-90.0.4430.93-bp153.1.1.x86_64 ............................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/chromium-90.0.4430.93-bp153.1.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 65176565: NOKEY

Reply

Sign in to reply online Use email software

Michal Suchánek

13:37

On Thu, Apr 29, 2021 at 5:17 PM dieter wrote:

...
On Thu, 29 Apr 2021 16:34:50 +0200 cagsm wrote:

...
What situation is my system in right now? have all those packages been installed without any proof whatsoever that they were legit and

thanks for all the replies here. Does this keys missing error supposed to be ongoing from inside the upgraded 15.3 system as well? had reasoned that once inside the 15.3 booted up, the keys would be available? No, not until a mechanism for importing the keys is added or you import

On Wed, May 05, 2021 at 11:49:16AM +0200, cagsm wrote: them by hand. HTH Michal

Reply

Sign in to reply online Use email software

cagsm

14 May 14 May

19:58

On Thu, Apr 29, 2021 at 8:52 AM dieter wrote:

There exists a bug for it: https://bugzilla.opensuse.org/show_bug.cgi?id=1184326

today on the 15.3 rc machine, new 420something packages appeared in the repos. I tried zypper ref --force and even zypper up zypper libzypp first and then zypper ref --force again, and tried with select packages to update. They all still showed those missing keys errors each and every one of them. Suppose this bug aint gonna fixed before final 15.3 release? Or only afterwards?

Reply

Sign in to reply online Use email software

cagsm

2 Jun 2 Jun

13:57

On Fri, May 14, 2021 at 9:58 PM cagsm wrote:

On Thu, Apr 29, 2021 at 8:52 AM dieter wrote:

...
There exists a bug for it: https://bugzilla.opensuse.org/show_bug.cgi?id=1184326

today some zypper up and or zypper dup even after it imported and applied that sles backports update repo, it still misses some pgp key. === ( 5/72) Installing: libcurl-devel-7.66.0-4.17.1.x86_64 ................................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/repo-sle-update/sle-sp2/x86_64/libcurl-devel-7.66.0-4.17.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY ( 6/72) Installing: libcurl4-32bit-7.66.0-4.17.1.x86_64 ...............................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/repo-sle-update/sle-sp2/x86_64/libcurl4-32bit-7.66.0-4.17.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY ( 7/72) Installing: libdjvulibre21-3.5.27-11.3.1.x86_64 ...............................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/repo-sle-update/sle-sp2/x86_64/libdjvulibre21-3.5.27-11.3.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY === also today when reading in the release post of 15.3 https://news.opensuse.org/2021/06/02/opensuse-leap-bridges-path-to-enterpris... about the actual release notes the little chapter mentioning upgrades: === Upgrading from previous versions of Leap Users upgrading to openSUSE Leap 15.3 need to be aware that upgrading directly from versions before openSUSE Leap 15.2 is not recommended. Due to the upgrade path, it is highly recommended to upgrade to Leap 15.2 before upgrading to Leap 15.3. The release only supports an upgrade from openSUSE Leap 15.2 to 15.3 as highlighted in the release notes; users are advised to read this section before migrating. Users are advised not to use zypper patch until next week. === what is meant with that statement not to use "zypper patch" until next week? is this related to this bug report mentioned in this thread? is this got to do with the zypper dup trouble missing pgp keys for verification? is todays release rather a paper launch and development and package updates (libzypp, zypper) still coming in until the end of this week for all of this to better work beginning from next week on? anyone? ty.

Reply

Sign in to reply online Use email software

Lubos Kocman

4 Jun 4 Jun

12:23

On Wed, 2021-06-02 at 15:57 +0200, cagsm wrote:

On Fri, May 14, 2021 at 9:58 PM cagsm wrote:

...
On Thu, Apr 29, 2021 at 8:52 AM dieter wrote:

...
There exists a bug for it: https://bugzilla.opensuse.org/show_bug.cgi?id=1184326

today some zypper up and or zypper dup even after it imported and applied that sles backports update repo, it still misses some pgp key.

=== ( 5/72) Installing: libcurl-devel-7.66.0-4.17.1.x86_64 ....................................................................... ....................................................................... ..................[done] Additional rpm output: warning: /var/cache/zypp/packages/repo-sle-update/sle- sp2/x86_64/libcurl-devel-7.66.0-4.17.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY

( 6/72) Installing: libcurl4-32bit-7.66.0-4.17.1.x86_64 ....................................................................... ....................................................................... .................[done] Additional rpm output: warning: /var/cache/zypp/packages/repo-sle-update/sle- sp2/x86_64/libcurl4-32bit-7.66.0-4.17.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY

( 7/72) Installing: libdjvulibre21-3.5.27-11.3.1.x86_64 ....................................................................... ....................................................................... .................[done] Additional rpm output: warning: /var/cache/zypp/packages/repo-sle-update/sle- sp2/x86_64/libdjvulibre21-3.5.27-11.3.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY ===

also today when reading in the release post of 15.3 < https://news.opensuse.org/2021/06/02/opensuse-leap-bridges-path-to-enterpris...

...
about the actual release notes the little chapter mentioning upgrades: === Upgrading from previous versions of Leap Users upgrading to openSUSE Leap 15.3 need to be aware that upgrading directly from versions before openSUSE Leap 15.2 is not recommended. Due to the upgrade path, it is highly recommended to upgrade to Leap 15.2 before upgrading to Leap 15.3. The release only supports an upgrade from openSUSE Leap 15.2 to 15.3 as highlighted in the release notes; users are advised to read this section before migrating. Users are advised not to use zypper patch until next week. ===

what is meant with that statement not to use "zypper patch" until next week? is this related to this bug report mentioned in this thread? is this got to do with the zypper dup trouble missing pgp keys for verification? is todays release rather a paper launch and development and package updates (libzypp, zypper) still coming in until the end of this week for all of this to better work beginning from next week on?

anyone? ty.

Please refer to the last two paragraphs of https://doc.opensuse.org/release-notes/x86_64/openSUSE/Leap/15.3/#sec.upgrad...

Reply

Sign in to reply online Use email software

Carlos E. R.

18:45

On 04/06/2021 14.23, Lubos Kocman wrote:

On Wed, 2021-06-02 at 15:57 +0200, cagsm wrote:

...
On Fri, May 14, 2021 at 9:58 PM cagsm wrote:

...

...
anyone? ty.

Please refer to the last two paragraphs of https://doc.opensuse.org/release-notes/x86_64/openSUSE/Leap/15.3/#sec.upgrad...

...

??? 6 More information and feedback Read the README documents on the medium. View a detailed changelog information about a particular package from its RPM: rpm --changelog -qp FILENAME.rpm Replace FILENAME with the name of the RPM. Check the ChangeLog file in the top level of the medium for a chronological log of all changes made to the updated packages. Find more information in the docu directory on the medium. For additional or updated documentation, see https://doc.opensuse.org/. For the latest product news, from openSUSE, visit https://www.opensuse.org. Copyright © 2021 SUSE LLC -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)

Reply

Sign in to reply online Use email software

Stefan Seyfried

5 Jun 5 Jun

11:14

On 04.06.21 20:45, Carlos E. R. wrote:

On 04/06/2021 14.23, Lubos Kocman wrote:

...
On Wed, 2021-06-02 at 15:57 +0200, cagsm wrote:

...
On Fri, May 14, 2021 at 9:58 PM cagsm wrote:

...

...
...
anyone? ty.

Please refer to the last two paragraphs of https://doc.opensuse.org/release-notes/x86_64/openSUSE/Leap/15.3/#sec.upgrad...

...
???

!!! 2.1 Seamless upgrade from openSUSE Leap 15.2 [... skip to last two paragraphs ...] If the system has not imported the key that was used to sign the repodata, you will need to import it manually. You can check by running the following command: rpm -qa gpg-pubkey The output should include a line starting with the following text: gpg-pubkey-39db7c82-* If it does not, the do the following to import the key manually: Download the SUSE Linux Enterprise 15 key from https://download.opensuse.org/distribution/leap/15.3/repo/oss/gpg-pubkey-39d.... Save the key to the /var/cache/zypp/pubkeys directory. Rename it so that it ends with .key. Run the zypper dup command. You will be asked to import the missing key. This will happen even if the key is in the directory mentioned above. If the file contains multiple keys, zypper will import only the required key. For more information, see https://bugzilla.opensuse.org/show_bug.cgi?id=1184326. -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman

Reply

Sign in to reply online Use email software

Carlos E. R.

11:28

On 05/06/2021 13.14, Stefan Seyfried wrote:

On 04.06.21 20:45, Carlos E. R. wrote:

...
On 04/06/2021 14.23, Lubos Kocman wrote:

...
On Wed, 2021-06-02 at 15:57 +0200, cagsm wrote:

...
On Fri, May 14, 2021 at 9:58 PM cagsm wrote:

...

...
...
anyone? ty.

Please refer to the last two paragraphs of https://doc.opensuse.org/release-notes/x86_64/openSUSE/Leap/15.3/#sec.upgrad...

...
???

!!!

2.1 Seamless upgrade from openSUSE Leap 15.2

[... skip to last two paragraphs ...]

If the system has not imported the key that was used to sign the repodata, you will need to import it manually. You can check by running

the following command:

Thanks for explaining. To me, saying "last two paragraphs" and giving a link means the last two paragraphs of the link, not of a not mentioned chapter. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)

Reply

Sign in to reply online Use email software

Carlos E. R.

4 Jun 4 Jun

18:41

On 02/06/2021 15.57, cagsm wrote:

On Fri, May 14, 2021 at 9:58 PM cagsm wrote:

...
On Thu, Apr 29, 2021 at 8:52 AM dieter wrote:

...
There exists a bug for it: https://bugzilla.opensuse.org/show_bug.cgi?id=1184326

today some zypper up and or zypper dup even after it imported and applied that sles backports update repo, it still misses some pgp key.

=== ( 5/72) Installing: libcurl-devel-7.66.0-4.17.1.x86_64 ................................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/repo-sle-update/sle-sp2/x86_64/libcurl-devel-7.66.0-4.17.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY

That's «key 70AF9E8139DB7C82: public key "SuSE Package Signing Key "» -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)

Reply

Sign in to reply online Use email software

1055

Age (days ago)

1093

Last active (days ago)

Download

25 comments

10 participants

tags

participants (10)

Andrei Borzenkov
Axel Braun
cagsm
Carlos E. R.
dieter
Lubos Kocman
Manfred Schwarb
Michal Suchánek
Per Jessen
Stefan Seyfried