15.2 to 15.3 dup, endless nokey additional rpm info, keys missing? 39517xxxxxx and 65176565xxxx
hi list, 15.2 to 15.3 dup, endless nokey additional rpm info, keys missing? 39517xxxxxx and 65176565xxxx something like that. is this the way dup goes? did dup according to upgrade instructions on wiki ty
Hello cagsm, Am Mittwoch, 28. April 2021, 19:24:08 CEST schrieb cagsm:
15.2 to 15.3 dup, endless nokey additional rpm info, keys missing? 39517xxxxxx and 65176565xxxx
something like that. is this the way dup goes? did dup according to upgrade instructions on wiki
Was the Leap 15.2 system fully up-to-date before you started the upgrade? Actually, I dod not see this issue during my upgade tests.... Cheers Axel
On Wed, Apr 28, 2021 at 8:10 PM Axel Braun
15.2 to 15.3 dup, endless nokey additional rpm info, keys missing? 39517xxxxxx and 65176565xxxx something like that. is this the way dup goes? did dup according to upgrade instructions on wiki Was the Leap 15.2 system fully up-to-date before you started the upgrade? Actually, I dod not see this issue during my upgade tests....
yes of course. leap 15.2 most current. all updates patches as of today applied. then via command zypper --releasever=15.3 dup --download-in-advance seemingly with every rpm applied, those signature version v3/sha256 and key id xxxxx messages were printed amongst other messages every now and then according to the package applied will see how this unfolds when i boot the machine. ty.
apparently, the missing key on the whole internet (only checked pgp.mit.edu and some open keyservers though) is 0x9c214d4065176565 for example the welcome open suse ahoy fun application is signed by it. what gives? who provides that key and from where? why isnt it included during the dup? why isnt it included anywhere? p.s. searchengine finds something here though: https://build.opensuse.org/project/keys_and_certificates/openSUSE:Backports:... is this fixworthy?
On Wed, Apr 28, 2021 at 11:05 PM cagsm
apparently, the missing key on the whole internet (only checked pgp.mit.edu and some open keyservers though) p.s. searchengine finds something here though:
google finds 3 (three) hits on the internet as whole ;( http://web.archive.org/web/20210428210742/https://www.google.com/search?hl=en&q=9c214d4065176565
On 28/04/2021 23.05, cagsm wrote:
apparently, the missing key on the whole internet (only checked pgp.mit.edu and some open keyservers though)
is
0x9c214d4065176565
for example the welcome open suse ahoy fun application is signed by it. what gives? who provides that key and from where? why isnt it included during the dup? why isnt it included anywhere?
Bugzilla. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
On Wed, 28 Apr 2021 23:05:42 +0200 cagsm wrote:
apparently, the missing key on the whole internet (only checked pgp.mit.edu and some open keyservers though)
is
0x9c214d4065176565
for example the welcome open suse ahoy fun application is signed by it. what gives? who provides that key and from where? why isnt it included during the dup? why isnt it included anywhere?
p.s. searchengine finds something here though: https://build.opensuse.org/project/keys_and_certificates/openSUSE:Backports:...
is this fixworthy? There exists a bug for it: https://bugzilla.opensuse.org/show_bug.cgi?id=1184326
In the bug is also documented where the missing keys can be found for manual import as workaround. And how to configure zypper or the repo settings so that unverified RPMs are not installed. Regards, Dieter
On Thu, Apr 29, 2021 at 8:52 AM dieter
There exists a bug for it: https://bugzilla.opensuse.org/show_bug.cgi?id=1184326
Okay thank you lot for pointing to this bug. Wondering now though, if my system is theoretically or in the actual sense completely compromised for real or virtually. I observed the dup process. I checked with lsof what the zypper was doing, and I have seen lsof | grep zypper a lot of network entries, where it connected to those mirror brained servers but via http, the ip address or hostname and the :80 (http) at the end of the line was given, to the service (webserver) the zypper conntected and fetched all those rpm files. So when the whole dup process, for i would bet, each and every rpm it fetched, printed out those missing key error lines and entries, then the dup process could have fetched "god" knows what kind of bits, thus totally compromising this system here. When this bug report exists like in the beginning of April, how can suse folks push a piece of software with the attribute "release candidate" with such a serious security issue? Should I abandon this machine and start from scratch? how can this be of RC grade at all for such essential security related things going so wrong? Am I only imagining things or exaggerating? Or is this a real attack vector and real fail of the software developers? I feel seriously disappointed and let down in these situations. Dont want to offend anyone personally, but in my opinion i want to "attack" the technical roles and stake holders if this turns out to be true. I seriously dislike the situations when having this much power and responsibility and releasing this kind of situation on the public. ty.
On Thu, Apr 29, 2021 at 03:26:34PM +0200, cagsm wrote:
On Thu, Apr 29, 2021 at 8:52 AM dieter
wrote: There exists a bug for it: https://bugzilla.opensuse.org/show_bug.cgi?id=1184326
Okay thank you lot for pointing to this bug. Wondering now though, if my system is theoretically or in the actual sense completely compromised for real or virtually. I observed the dup process. I checked with lsof what the zypper was doing, and I have seen lsof | grep zypper a lot of network entries, where it connected to those mirror brained servers but via http, the ip address or hostname and the :80 (http) at the end of the line was given, to the service (webserver) the zypper conntected and fetched all those rpm files.
No, as it is zypper downloads the rpm packages which are verified by the repository index. Because the rpm packages come from multiple repositories signed by different keys rpm then complains about packages signed by keys not imported into the rpm database. The 'solution' is typical for how SUSE handles software distribution. The keys will be added to the repository but will not by verified by the index. Zypper will ask you to import the keys without any verification whatsoever. If you say yes the warning will be gone but your system will be potentailly compromised because no method of verification for these new signing keys is provided. Thanks Michal
Am 29.04.21 um 15:36 schrieb Michal Suchánek:
On Thu, Apr 29, 2021 at 03:26:34PM +0200, cagsm wrote:
On Thu, Apr 29, 2021 at 8:52 AM dieter
wrote: There exists a bug for it: https://bugzilla.opensuse.org/show_bug.cgi?id=1184326
Okay thank you lot for pointing to this bug. Wondering now though, if my system is theoretically or in the actual sense completely compromised for real or virtually. I observed the dup process. I checked with lsof what the zypper was doing, and I have seen lsof | grep zypper a lot of network entries, where it connected to those mirror brained servers but via http, the ip address or hostname and the :80 (http) at the end of the line was given, to the service (webserver) the zypper conntected and fetched all those rpm files.
The repositories in /etc/zypp/repos.d should really contain "baseurl=" entries with an encrypted protocol, i.e. https:// instead of http:// _per default_. It is of course easy to change that manually, after the event. But I guess nobody remembers to do so. Most mirrors support https, and the ones not doing so should simply be dropped. Cheers, Manfred
On Thu, Apr 29, 2021 at 04:02:35PM +0200, Manfred Schwarb wrote:
Am 29.04.21 um 15:36 schrieb Michal Suchánek:
On Thu, Apr 29, 2021 at 03:26:34PM +0200, cagsm wrote:
On Thu, Apr 29, 2021 at 8:52 AM dieter
wrote: There exists a bug for it: https://bugzilla.opensuse.org/show_bug.cgi?id=1184326
Okay thank you lot for pointing to this bug. Wondering now though, if my system is theoretically or in the actual sense completely compromised for real or virtually. I observed the dup process. I checked with lsof what the zypper was doing, and I have seen lsof | grep zypper a lot of network entries, where it connected to those mirror brained servers but via http, the ip address or hostname and the :80 (http) at the end of the line was given, to the service (webserver) the zypper conntected and fetched all those rpm files.
The repositories in /etc/zypp/repos.d should really contain "baseurl=" entries with an encrypted protocol, i.e. https:// instead of http:// _per default_.
It is of course easy to change that manually, after the event. But I guess nobody remembers to do so. Most mirrors support https, and the ones not doing so should simply be dropped.
It's not about mirrors supporting https. Anyone can create a web site that supports https and place some packages on it. You need to be able to verify the origin of the package. Thanks Michal
On Thu, Apr 29, 2021 at 5:02 PM Manfred Schwarb
The repositories in /etc/zypp/repos.d should really contain "baseurl=" entries with an encrypted protocol, i.e. https:// instead of http:// _per default_.
It is of course easy to change that manually, after the event. But I guess nobody remembers to do so. Most mirrors support https, and the ones not doing so should simply be dropped.
I count exactly three TW mirrors with https. This is far less than "most".
Andrei Borzenkov wrote:
On Thu, Apr 29, 2021 at 5:02 PM Manfred Schwarb
wrote: The repositories in /etc/zypp/repos.d should really contain "baseurl=" entries with an encrypted protocol, i.e. https:// instead of http:// _per default_.
It is of course easy to change that manually, after the event. But I guess nobody remembers to do so. Most mirrors support https, and the ones not doing so should simply be dropped.
I count exactly three TW mirrors with https. This is far less than "most".
Yeah. Not forgetting that mirrorbrain does not support https. -- Per Jessen, Zürich (11.6°C) Member, openSUSE Heroes
On Thu, Apr 29, 2021 at 3:36 PM Michal Suchánek
No, as it is zypper downloads the rpm packages which are verified by the repository index. Because the rpm packages come from multiple repositories signed by different keys rpm then complains about packages signed by keys not imported into the rpm database. The 'solution' is typical for how SUSE handles software distribution. The keys will be added to the repository but will not by verified by the index. Zypper will ask you to import the keys without any verification whatsoever. If you say yes the warning will be gone but your system will be potentailly compromised because no method of verification for these new signing keys is provided.
dont really understand this answer. bottom line: the zypper dup yesterday, did a completely unverified easily man-in-the-middle-attack-able upgrade of the previously fine 15.2 system. is this assumption correct? from inside thise malicious 15.3 is there a mathematically sound way to re-evaluate all the currently installed packages and (re-)verify them with the (hopefully?) installed keys that it complained about during the dup? how would I verify all the installed bits and pieces and rpm files from inside 15.3 rc? also in that bug I read about libzypp or something still needing to implement this upgrade scenario and missing keys and stuff. will this be available during GA release of 15.3 finaly situation? or what other workaround steps are mandatory at the moment such as: manually fetching gpg keys from somewhere, importing them, and only zypper dup after those additional steps? shouldnt this be put up into https://en.opensuse.org/SDB:System_upgrade pretty much immediately notifying people about this serious security issue when coming from a safe and secure 15.2 and dup-ing to 15.3 rc? am I the only one worried by the current situation? is this perfectly normal for all the involved suse staff, developers, maintainers, admins etc? ty.
On Thu, Apr 29, 2021 at 04:20:33PM +0200, cagsm wrote:
On Thu, Apr 29, 2021 at 3:36 PM Michal Suchánek
wrote: No, as it is zypper downloads the rpm packages which are verified by the repository index. Because the rpm packages come from multiple repositories signed by different keys rpm then complains about packages signed by keys not imported into the rpm database. The 'solution' is typical for how SUSE handles software distribution. The keys will be added to the repository but will not by verified by the index. Zypper will ask you to import the keys without any verification whatsoever. If you say yes the warning will be gone but your system will be potentailly compromised because no method of verification for these new signing keys is provided.
dont really understand this answer. bottom line: the zypper dup yesterday, did a completely unverified easily man-in-the-middle-attack-able upgrade of the previously fine 15.2 system. is this assumption correct?
There are two verifications - by zypper and by rpm. You get warning from rpm but the package should have been verified by zypper anyway. HTH Michal
On Thu, Apr 29, 2021 at 4:28 PM Michal Suchánek
There are two verifications - by zypper and by rpm. You get warning from rpm but the package should have been verified by zypper anyway.
sorry list, I am not understand if I am compromised or not. I did a zypper dup with that releasever variable being set to 15.3 I did not skip over warnings that keys were missing or to be imported or what not. zypper dup asked me if i was okay with the release notes or legal stuff of suse llc and gpl2. and the second question it asked if i wanted to proceed with the 2000+ packages to be fetched, that summary. It then went on with downloading packages and working on them. Every package installing or updating printed those missing keys for the signature of the package line. What situation is my system in right now? have all those packages been installed without any proof whatsoever that they were legit and original packages bye suse llc? What do I need to do now? Am I imagining? ty.
What situation is my system in right now? have all those packages been installed without any proof whatsoever that they were legit and original packages bye suse llc? What do I need to do now? Am I imagining? According to https://bugzilla.opensuse.org/show_bug.cgi?id=1184326#c1
On Thu, 29 Apr 2021 16:34:50 +0200 cagsm wrote: there are two layers of verification: 1) package checksum in the signed repository metadata checked by zypper 2) individual package signatures checked by rpm. step 1) was done successfully during the upgrade for each installed package, step 2) was skipped for the packages signed by the missing keys. This bugzilla comment also says "Nevertheless the system is secure:" My advice would be: before upgrading a critical system to a new version check the open bug reports for this version, especially when it is still in the RC phase and not released yet. Kind regards, Dieter
On Thu, Apr 29, 2021 at 5:17 PM dieter
On Thu, 29 Apr 2021 16:34:50 +0200 cagsm wrote:
What situation is my system in right now? have all those packages been installed without any proof whatsoever that they were legit and
thanks for all the replies here. Does this keys missing error supposed to be ongoing from inside the upgraded 15.3 system as well? had reasoned that once inside the 15.3 booted up, the keys would be available? today there were some 28 update packages, and they seem to all have lacked various signing keys? what mechanism will bring in these missing keys or hows this gonna be handled and fixed? ty ---------------- ( 1/28) Installing: libbellesip0-1.6.3-bp153.1.134.x86_64 .............................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/libbellesip0-1.6.3-bp153.1.134.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 65176565: NOKEY ( 2/28) Installing: libkolabxml1-1.1.6-bp153.1.116.x86_64 .............................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/libkolabxml1-1.1.6-bp153.1.116.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 65176565: NOKEY ( 3/28) Installing: libreoffice-branding-upstream-7.1.2.2-bp153.2.4.noarch ............................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/noarch/libreoffice-branding-upstream-7.1.2.2-bp153.2.4.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 65176565: NOKEY ( 4/28) Installing: libreoffice-icon-themes-7.1.2.2-bp153.2.4.noarch ..................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/noarch/libreoffice-icon-themes-7.1.2.2-bp153.2.4.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 65176565: NOKEY ( 5/28) Installing: libreoffice-l10n-en-7.1.2.2-bp153.2.4.noarch ......................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/noarch/libreoffice-l10n-en-7.1.2.2-bp153.2.4.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 65176565: NOKEY ( 6/28) Installing: maven-dependency-tree-3.0-bp153.1.128.noarch ......................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/noarch/maven-dependency-tree-3.0-bp153.1.128.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 65176565: NOKEY ( 7/28) Installing: maven-reporting-impl-3.0.0-bp153.1.132.noarch .....................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/noarch/maven-reporting-impl-3.0.0-bp153.1.132.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 65176565: NOKEY ( 8/28) Installing: openSUSE-release-ftp-15.3-lp153.124.1.x86_64 ......................................................................................................................................................[done] ( 9/28) Installing: pipewire-spa-tools-0.3.24-2.1.x86_64 ..............................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/pipewire-spa-tools-0.3.24-2.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (10/28) Installing: telepathy-mission-control-plugin-goa-3.12.14-bp153.1.26.x86_64 ....................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/telepathy-mission-control-plugin-goa-3.12.14-bp153.1.26.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 65176565: NOKEY (11/28) Installing: usbmuxd-1.1.0-10.1.x86_64 .........................................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/usbmuxd-1.1.0-10.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (12/28) Installing: wine-32bit-6.0-bp153.1.139.x86_64 .................................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/wine-32bit-6.0-bp153.1.139.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 65176565: NOKEY (13/28) Installing: yast2-network-4.3.67-1.1.noarch ...................................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/noarch/yast2-network-4.3.67-1.1.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (14/28) Installing: yast2-pkg-bindings-4.3.11-1.1.x86_64 ..............................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/yast2-pkg-bindings-4.3.11-1.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (15/28) Installing: yast2-trans-84.87.20210425.616915ed60-1.1.noarch ..................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/noarch/yast2-trans-84.87.20210425.616915ed60-1.1.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (16/28) Installing: maven-plugin-bundle-3.5.1-bp153.1.109.noarch ......................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/noarch/maven-plugin-bundle-3.5.1-bp153.1.109.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 65176565: NOKEY (17/28) Installing: openSUSE-release-15.3-lp153.124.1.x86_64 ..........................................................................................................................................................[done] (18/28) Installing: libpipewire-0_3-0-0.3.24-2.1.x86_64 ...............................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/libpipewire-0_3-0-0.3.24-2.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (19/28) Installing: wine-6.0-bp153.1.139.x86_64 .......................................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/wine-6.0-bp153.1.139.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 65176565: NOKEY (20/28) Installing: kernel-default-5.3.18-57.1.x86_64 .................................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/kernel-default-5.3.18-57.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (21/28) Installing: pipewire-tools-0.3.24-2.1.x86_64 ..................................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/pipewire-tools-0.3.24-2.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (22/28) Installing: kernel-default-extra-5.3.18-57.1.x86_64 ...........................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/kernel-default-extra-5.3.18-57.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (23/28) Installing: pipewire-spa-plugins-0_2-0.3.24-2.1.x86_64 ........................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/pipewire-spa-plugins-0_2-0.3.24-2.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (24/28) Installing: kernel-default-optional-5.3.18-57.1.x86_64 ........................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/kernel-default-optional-5.3.18-57.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (25/28) Installing: pipewire-modules-0.3.24-2.1.x86_64 ................................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/pipewire-modules-0.3.24-2.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (26/28) Installing: pipewire-0.3.24-2.1.x86_64 ........................................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/pipewire-0.3.24-2.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (27/28) Installing: pipewire-lang-0.3.24-2.1.noarch ...................................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/noarch/pipewire-lang-0.3.24-2.1.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY (28/28) Installing: chromium-90.0.4430.93-bp153.1.1.x86_64 ............................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/openSUSE-Leap-oss/x86_64/chromium-90.0.4430.93-bp153.1.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 65176565: NOKEY
On Thu, Apr 29, 2021 at 5:17 PM dieter
wrote: On Thu, 29 Apr 2021 16:34:50 +0200 cagsm wrote:
What situation is my system in right now? have all those packages been installed without any proof whatsoever that they were legit and
thanks for all the replies here. Does this keys missing error supposed to be ongoing from inside the upgraded 15.3 system as well? had reasoned that once inside the 15.3 booted up, the keys would be available? No, not until a mechanism for importing the keys is added or you import
On Wed, May 05, 2021 at 11:49:16AM +0200, cagsm wrote: them by hand. HTH Michal
On Thu, Apr 29, 2021 at 8:52 AM dieter
There exists a bug for it: https://bugzilla.opensuse.org/show_bug.cgi?id=1184326
today on the 15.3 rc machine, new 420something packages appeared in the repos. I tried zypper ref --force and even zypper up zypper libzypp first and then zypper ref --force again, and tried with select packages to update. They all still showed those missing keys errors each and every one of them. Suppose this bug aint gonna fixed before final 15.3 release? Or only afterwards?
On Fri, May 14, 2021 at 9:58 PM cagsm
On Thu, Apr 29, 2021 at 8:52 AM dieter
wrote: There exists a bug for it: https://bugzilla.opensuse.org/show_bug.cgi?id=1184326
today some zypper up and or zypper dup even after it imported and applied that sles backports update repo, it still misses some pgp key. === ( 5/72) Installing: libcurl-devel-7.66.0-4.17.1.x86_64 ................................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/repo-sle-update/sle-sp2/x86_64/libcurl-devel-7.66.0-4.17.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY ( 6/72) Installing: libcurl4-32bit-7.66.0-4.17.1.x86_64 ...............................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/repo-sle-update/sle-sp2/x86_64/libcurl4-32bit-7.66.0-4.17.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY ( 7/72) Installing: libdjvulibre21-3.5.27-11.3.1.x86_64 ...............................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/repo-sle-update/sle-sp2/x86_64/libdjvulibre21-3.5.27-11.3.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY === also today when reading in the release post of 15.3 https://news.opensuse.org/2021/06/02/opensuse-leap-bridges-path-to-enterpris... about the actual release notes the little chapter mentioning upgrades: === Upgrading from previous versions of Leap Users upgrading to openSUSE Leap 15.3 need to be aware that upgrading directly from versions before openSUSE Leap 15.2 is not recommended. Due to the upgrade path, it is highly recommended to upgrade to Leap 15.2 before upgrading to Leap 15.3. The release only supports an upgrade from openSUSE Leap 15.2 to 15.3 as highlighted in the release notes; users are advised to read this section before migrating. Users are advised not to use zypper patch until next week. === what is meant with that statement not to use "zypper patch" until next week? is this related to this bug report mentioned in this thread? is this got to do with the zypper dup trouble missing pgp keys for verification? is todays release rather a paper launch and development and package updates (libzypp, zypper) still coming in until the end of this week for all of this to better work beginning from next week on? anyone? ty.
On Wed, 2021-06-02 at 15:57 +0200, cagsm wrote:
On Fri, May 14, 2021 at 9:58 PM cagsm
wrote: On Thu, Apr 29, 2021 at 8:52 AM dieter
wrote: There exists a bug for it: https://bugzilla.opensuse.org/show_bug.cgi?id=1184326
today some zypper up and or zypper dup even after it imported and applied that sles backports update repo, it still misses some pgp key.
=== ( 5/72) Installing: libcurl-devel-7.66.0-4.17.1.x86_64 ....................................................................... ....................................................................... ..................[done] Additional rpm output: warning: /var/cache/zypp/packages/repo-sle-update/sle- sp2/x86_64/libcurl-devel-7.66.0-4.17.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY
( 6/72) Installing: libcurl4-32bit-7.66.0-4.17.1.x86_64 ....................................................................... ....................................................................... .................[done] Additional rpm output: warning: /var/cache/zypp/packages/repo-sle-update/sle- sp2/x86_64/libcurl4-32bit-7.66.0-4.17.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY
( 7/72) Installing: libdjvulibre21-3.5.27-11.3.1.x86_64 ....................................................................... ....................................................................... .................[done] Additional rpm output: warning: /var/cache/zypp/packages/repo-sle-update/sle- sp2/x86_64/libdjvulibre21-3.5.27-11.3.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY ===
also today when reading in the release post of 15.3 < https://news.opensuse.org/2021/06/02/opensuse-leap-bridges-path-to-enterpris...
about the actual release notes the little chapter mentioning upgrades: === Upgrading from previous versions of Leap Users upgrading to openSUSE Leap 15.3 need to be aware that upgrading directly from versions before openSUSE Leap 15.2 is not recommended. Due to the upgrade path, it is highly recommended to upgrade to Leap 15.2 before upgrading to Leap 15.3. The release only supports an upgrade from openSUSE Leap 15.2 to 15.3 as highlighted in the release notes; users are advised to read this section before migrating. Users are advised not to use zypper patch until next week. ===
what is meant with that statement not to use "zypper patch" until next week? is this related to this bug report mentioned in this thread? is this got to do with the zypper dup trouble missing pgp keys for verification? is todays release rather a paper launch and development and package updates (libzypp, zypper) still coming in until the end of this week for all of this to better work beginning from next week on?
anyone? ty.
Please refer to the last two paragraphs of https://doc.opensuse.org/release-notes/x86_64/openSUSE/Leap/15.3/#sec.upgrad...
On 04/06/2021 14.23, Lubos Kocman wrote:
On Wed, 2021-06-02 at 15:57 +0200, cagsm wrote:
On Fri, May 14, 2021 at 9:58 PM cagsm
wrote:
...
anyone? ty.
Please refer to the last two paragraphs of https://doc.opensuse.org/release-notes/x86_64/openSUSE/Leap/15.3/#sec.upgrad...
??? 6 More information and feedback Read the README documents on the medium. View a detailed changelog information about a particular package from its RPM: rpm --changelog -qp FILENAME.rpm Replace FILENAME with the name of the RPM. Check the ChangeLog file in the top level of the medium for a chronological log of all changes made to the updated packages. Find more information in the docu directory on the medium. For additional or updated documentation, see https://doc.opensuse.org/. For the latest product news, from openSUSE, visit https://www.opensuse.org. Copyright © 2021 SUSE LLC -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
On 04.06.21 20:45, Carlos E. R. wrote:
On 04/06/2021 14.23, Lubos Kocman wrote:
On Wed, 2021-06-02 at 15:57 +0200, cagsm wrote:
On Fri, May 14, 2021 at 9:58 PM cagsm
wrote: ...
anyone? ty.
Please refer to the last two paragraphs of https://doc.opensuse.org/release-notes/x86_64/openSUSE/Leap/15.3/#sec.upgrad...
???
!!! 2.1 Seamless upgrade from openSUSE Leap 15.2 [... skip to last two paragraphs ...] If the system has not imported the key that was used to sign the repodata, you will need to import it manually. You can check by running the following command: rpm -qa gpg-pubkey The output should include a line starting with the following text: gpg-pubkey-39db7c82-* If it does not, the do the following to import the key manually: Download the SUSE Linux Enterprise 15 key from https://download.opensuse.org/distribution/leap/15.3/repo/oss/gpg-pubkey-39d.... Save the key to the /var/cache/zypp/pubkeys directory. Rename it so that it ends with .key. Run the zypper dup command. You will be asked to import the missing key. This will happen even if the key is in the directory mentioned above. If the file contains multiple keys, zypper will import only the required key. For more information, see https://bugzilla.opensuse.org/show_bug.cgi?id=1184326. -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman
On 05/06/2021 13.14, Stefan Seyfried wrote:
On 04.06.21 20:45, Carlos E. R. wrote:
On 04/06/2021 14.23, Lubos Kocman wrote:
On Wed, 2021-06-02 at 15:57 +0200, cagsm wrote:
On Fri, May 14, 2021 at 9:58 PM cagsm
wrote: ...
anyone? ty.
Please refer to the last two paragraphs of https://doc.opensuse.org/release-notes/x86_64/openSUSE/Leap/15.3/#sec.upgrad...
???
!!!
2.1 Seamless upgrade from openSUSE Leap 15.2
[... skip to last two paragraphs ...]
If the system has not imported the key that was used to sign the repodata, you will need to import it manually. You can check by running
the following command:
Thanks for explaining. To me, saying "last two paragraphs" and giving a link means the last two paragraphs of the link, not of a not mentioned chapter. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
On 02/06/2021 15.57, cagsm wrote:
On Fri, May 14, 2021 at 9:58 PM cagsm
wrote: On Thu, Apr 29, 2021 at 8:52 AM dieter
wrote: There exists a bug for it: https://bugzilla.opensuse.org/show_bug.cgi?id=1184326
today some zypper up and or zypper dup even after it imported and applied that sles backports update repo, it still misses some pgp key.
=== ( 5/72) Installing: libcurl-devel-7.66.0-4.17.1.x86_64 ................................................................................................................................................................[done] Additional rpm output: warning: /var/cache/zypp/packages/repo-sle-update/sle-sp2/x86_64/libcurl-devel-7.66.0-4.17.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 39db7c82: NOKEY
That's «key 70AF9E8139DB7C82: public key "SuSE Package Signing Key
participants (10)
-
Andrei Borzenkov
-
Axel Braun
-
cagsm
-
Carlos E. R.
-
dieter
-
Lubos Kocman
-
Manfred Schwarb
-
Michal Suchánek
-
Per Jessen
-
Stefan Seyfried