New repository signing key received (gpg-pubkey-e2c0098c-6153774e)
Hello, can someone confirm this new key for Base:System is legit? I don't find references to it anywhere other than the place it comes from: New repository or package signing key received: Repository: Base:System Factory Devel Project (openSUSE_Tumbleweed) Key Fingerprint: 9B76 956C 9465 B30D 7364 090D 88EB 5D66 E2C0 098C Key Name: Base:System OBS Project <Base:System@build.opensuse.org> Key Algorithm: RSA 2048 Key Created: Tue 28 Sep 2021 10:13:02 PM CEST Key Expires: Thu 07 Dec 2023 09:13:02 PM CET Rpm Name: gpg-pubkey-e2c0098c-6153774e From https://download.opensuse.org/repositories/Base:/System/openSUSE_Tumbleweed/...: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.5 (GNU/Linux) mQENBFERC+cBCACpzYyCMsGdJY7CsrdS8AdP7s1TiMEZGFERk3dEw5d5I4+JCnL8 IVSQosygzcN7nAZUd4CkMII9LIYf0h/XX8KRKmk4/Vo8LOGIZ9xsjnV+Gh7hVn+P D4rVAuPsVBRVGZzonrKlKEMlksijP915q+qalWyGpfdq6mD5bKRnCS4E8Q8BG2kQ BBvSf1JuSVROA7BgxJtQo3i9zpZ+jGjoyJA597kBM0M6NNMblKpie+qxAueleMyL neejfDMiiUwSTCKqphFEYtlx4KgUNhUTYHcnRR8DaH65KZwGwOj+AYUhBrLfawnB Ve8YhWQnC9x43UetZI6rOjQybmt6tQHjGvm1ABEBAAG0OEJhc2U6U3lzdGVtIE9C UyBQcm9qZWN0IDxCYXNlOlN5c3RlbUBidWlsZC5vcGVuc3VzZS5vcmc+iQE8BBMB AgAmBQJhU3dOAhsDBQkUYRtnBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQiOtd ZuLACYx7hgf+MPTR0TkuW0244zYsiw0QsrP6fUc6FBafdazATwMLGyOxZH7HzcU/ zcOCsQNfFi0F0/kS2SFHkNe1VfLIZ9HN50TXXhdNkusiZr6B+hwc0nt6HFD65G2K CwKYBYbbncgJ7pwAO1YG7cUYa8059yGLtiRLRNLWve+hTpfy2AeOR4wsex//5mna tPWgclouJP9WbIS1TI/YNEvngLGD9KMxXdwmHFfbY4s/mtCmjRACqAWfNOlHwuH4 vnpt6xZgfLI70LCtGwOtkNbWCXyGZeaACONsTlVzjkzJG1eHVYwBpl9NSyk1QuO0 XlqEtsRb2Ki2pOcm8FGGK4EBr4jw1ruF6YhGBBMRAgAGBQJREQvnAAoJEDswEbdr nWUjQW4AoJwz8eWwoWpxGL/hg+wQ5MzZpyIjAJ9JMoCQ4fwhHSsiakTTsQPkukNC Tw== =mVJt -----END PGP PUBLIC KEY BLOCK----- Thanks! -- Hector
On Fri, Apr 08, 2022 at 04:11:40PM +0000, Hector Sanjuan wrote:
can someone confirm this new key for Base:System is legit? I don't find references to it anywhere other than the place it comes from:
New repository or package signing key received:
Repository: Base:System Factory Devel Project (openSUSE_Tumbleweed) Key Fingerprint: 9B76 956C 9465 B30D 7364 090D 88EB 5D66 E2C0 098C Key Name: Base:System OBS Project <Base:System@build.opensuse.org> Key Algorithm: RSA 2048 Key Created: Tue 28 Sep 2021 10:13:02 PM CEST Key Expires: Thu 07 Dec 2023 09:13:02 PM CET Rpm Name: gpg-pubkey-e2c0098c-6153774e
Looks legit. But it's the same key since 2013, so I don't understand why you get a message that it is new. (It says "Key Created", but that's not true. It's the creation time of the self-sig that defines the expiration date.) Cheers, Michael. -- Michael Schroeder SUSE Software Solutions Germany GmbH mls@suse.de GF: Felix Imendoerffer HRB 36809, AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);}
------- Original Message ------- On Friday, April 8th, 2022 at 6:22 PM, Michael Schroeder <mls@suse.de> wrote:
On Fri, Apr 08, 2022 at 04:11:40PM +0000, Hector Sanjuan wrote:
can someone confirm this new key for Base:System is legit? I don't find references to it anywhere other than the place it comes from:
New repository or package signing key received:
Repository: Base:System Factory Devel Project (openSUSE_Tumbleweed) Key Fingerprint: 9B76 956C 9465 B30D 7364 090D 88EB 5D66 E2C0 098C Key Name: Base:System OBS Project Base:System@build.opensuse.org Key Algorithm: RSA 2048 Key Created: Tue 28 Sep 2021 10:13:02 PM CEST Key Expires: Thu 07 Dec 2023 09:13:02 PM CET Rpm Name: gpg-pubkey-e2c0098c-6153774e
Looks legit. But it's the same key since 2013, so I don't understand why you get a message that it is new. (It says "Key Created", but that's not true. It's the creation time of the self-sig that defines the expiration date.)
It was mentioned to me previously that 6153774e in gpg-pubkey-e2c0098c-6153774e corresponds to a unix timestamp, and yes, it seems to correspond to "Tue 28 Sep 2021 10:13:02 PM CEST". Why does zypper think this is a new though? What key is it using now that it has detected a "change"? (this is not a new installation). -- Hector
On Friday 08 April 2022 18:34:00 Hector Sanjuan wrote:
------- Original Message -------
On Friday, April 8th, 2022 at 6:22 PM, Michael Schroeder <mls@suse.de> wrote:
On Fri, Apr 08, 2022 at 04:11:40PM +0000, Hector Sanjuan wrote:
can someone confirm this new key for Base:System is legit? I don't find references to it anywhere other than the place it comes from:
New repository or package signing key received:
Repository: Base:System Factory Devel Project (openSUSE_Tumbleweed) Key Fingerprint: 9B76 956C 9465 B30D 7364 090D 88EB 5D66 E2C0 098C Key Name: Base:System OBS Project Base:System@build.opensuse.org Key Algorithm: RSA 2048 Key Created: Tue 28 Sep 2021 10:13:02 PM CEST Key Expires: Thu 07 Dec 2023 09:13:02 PM CET Rpm Name: gpg-pubkey-e2c0098c-6153774e
Looks legit. But it's the same key since 2013, so I don't understand why you get a message that it is new. (It says "Key Created", but that's not true. It's the creation time of the self-sig that defines the expiration date.)
It was mentioned to me previously that 6153774e in gpg-pubkey-e2c0098c-6153774e corresponds to a unix timestamp, and yes, it seems to correspond to "Tue 28 Sep 2021 10:13:02 PM CEST".
Why does zypper think this is a new though? What key is it using now that it has detected a "change"? (this is not a new installation).
The 'New repository or package signing key received:' should be issues only if the key with ID 'e2c0098c' is not in the rpmdb at all. Can you sen me the /var/log/zpper.log (showing the command that asked the question). May be the rpmdb is broken and we did not get the key out. -- cu, Michael Andres +------------------------------------------------------------------+ Key fingerprint = 2DFA 5D73 18B1 E7EF A862 27AC 3FB8 9E3A 27C6 B0E4 +------------------------------------------------------------------+ Michael Andres (he/him/his), Engineering & Innovation, ma@suse.com +------------------------------------------------------------------+ SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany, (HRB 36809, AG Nürnberg) Geschäftsführer: Ivo Totev +------------------------------------------------------------------+
------- Original Message ------- On Monday, April 11th, 2022 at 4:09 PM, Michael Andres <ma@suse.com> wrote:
On Friday 08 April 2022 18:34:00 Hector Sanjuan wrote:
------- Original Message -------
On Friday, April 8th, 2022 at 6:22 PM, Michael Schroeder mls@suse.de wrote:
On Fri, Apr 08, 2022 at 04:11:40PM +0000, Hector Sanjuan wrote:
can someone confirm this new key for Base:System is legit? I don't find references to it anywhere other than the place it comes from:
New repository or package signing key received:
Repository: Base:System Factory Devel Project (openSUSE_Tumbleweed) Key Fingerprint: 9B76 956C 9465 B30D 7364 090D 88EB 5D66 E2C0 098C Key Name: Base:System OBS Project Base:System@build.opensuse.org Key Algorithm: RSA 2048 Key Created: Tue 28 Sep 2021 10:13:02 PM CEST Key Expires: Thu 07 Dec 2023 09:13:02 PM CET Rpm Name: gpg-pubkey-e2c0098c-6153774e
Looks legit. But it's the same key since 2013, so I don't understand why you get a message that it is new. (It says "Key Created", but that's not true. It's the creation time of the self-sig that defines the expiration date.)
It was mentioned to me previously that 6153774e in gpg-pubkey-e2c0098c-6153774e corresponds to a unix timestamp, and yes, it seems to correspond to "Tue 28 Sep 2021 10:13:02 PM CEST".
Why does zypper think this is a new though? What key is it using now that it has detected a "change"? (this is not a new installation).
The 'New repository or package signing key received:' should be issues only if the key with ID 'e2c0098c' is not in the rpmdb at all.
Can you sen me the /var/log/zpper.log (showing the command that asked the question). May be the rpmdb is broken and we did not get the key out.
Thank you for the pointer to the logs! The explanation is I added this repository recently. It is indeed not a base repository on a default installation (name confused me). During the time I had it, it was always associated to the same key, which I must have opportunistically trusted at some point. Since then, it probably did not need a refresh so I wasn't asked. It would still be good to have a place where all the "official" keys are published. -- Hector
On Tuesday 12 April 2022 11:02:10 Hector Sanjuan wrote:
It would still be good to have a place where all the "official" keys are published.
Well, build.opensuse.org publishes the project keys: https://build.opensuse.org/project/keys_and_certificates/Base:System -- cu, Michael Andres +------------------------------------------------------------------+ Key fingerprint = 2DFA 5D73 18B1 E7EF A862 27AC 3FB8 9E3A 27C6 B0E4 +------------------------------------------------------------------+ Michael Andres (he/him/his), Engineering & Innovation, ma@suse.com +------------------------------------------------------------------+ SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany, (HRB 36809, AG Nürnberg) Geschäftsführer: Ivo Totev +------------------------------------------------------------------+
participants (3)
-
Hector Sanjuan -
Michael Andres -
Michael Schroeder