Feature changed by: Robert Davies (robopensuse) Feature #304911, revision 29 Title: Import all GPG keys at once before downloading the metadata from new repositories openSUSE-11.1: Rejected by Stanislav Visnovsky (visnov) reject date: 2008-07-09 07:54:32 reject reason: Cannot be done in time. Priority Requester: Desirable openSUSE-11.2: Rejected by Stephan Kulow (coolo) reject date: 2009-08-12 10:55:19 reject reason: 21 votes, but noone volunteering Priority Requester: Desirable Projectmanager: Desirable openSUSE-11.3: Evaluation Priority Requester: Desirable Requested by: Ladislav Slezak (lslezak) Description: If e.g. 10 different repositories are added yast asks to import the GPG key for each repository so the user cannot leave the computer while the metadata are downloaded. References: https://bugzilla.novell.com/show_bug.cgi?id=399253 Discussion: #2: Federico Lucifredi (flucifredi) (2008-07-08 19:41:45) (reply to #1) cute. It is a nice idea indeed. #3: Dmitry Mittov (michael_knight) (2009-02-23 11:03:50) It is not a good idea to add gpg keys for all repos all over the world. What do you want to do with new repos on BuildService? They can be created after release of new Suse version. All repos signed with SuSE Package Signing Key are guaranteed. When you add other repos you should confirm you trust them. But special option for 'zypper ar'. Something like '--trust-key' will solve you problem. #4: Stephan Kulow (coolo) (2009-04-16 14:41:15) (reply to #3) you haven't see the community repos list yet? #5: Stephan Kulow (coolo) (2009-04-16 14:41:42) looking for community volunteers #6: Stanley Miller (stan_qaz) (2009-04-30 04:10:50) Would it be possible to do a quick check to see which repositories do not have the keys already downloaded and do the dialog box for all of them before starting the metadata download? That avoids the issue of just accepting the keys blindly and the issue of having the download process stop and wait for user input when a missing key is found. #7: T. J. Brumfield (enderandrew) (2009-06-13 02:14:59) You have to go out of your way to add the repo in the first place. Can someone please explain a scenario where you would go out of your way to add the repo, and then reject the GPG key? #8: Stephan Kulow (coolo) (2009-08-12 10:55:57) (reply to #7) community repositories lets you add several repos at once #9: Todd R (theblackcat) (2009-09-22 18:28:10) (reply to #8) But isn't that a list of repositories trusted by openSUSE? #10: Marcus Meissner (msmeissn) (2009-09-23 00:27:38) (reply to #9) Not by the distribution itself, no. Some of the repositories are built with less security and less quality than the distribution itself. There shouyld perhaps be a two step process in the end .. seperate "known keys" ... "unknown keys" and "trusted keys" :/ + #11: Robert Davies (robopensuse) (2009-11-30 18:59:58) (reply to #10) + Can't the Distro include keys for repo's like Packman &  libdvdcss + which high proportion of user will add.  It's certifying the identity + of the repo for better security not installing (or inducing install of) + any potentially illegal software. + The highish quality repos ought to be recognised, as training user to + blindly accept certificates is counter-productive from security pov. -- openSUSE Feature: https://features.opensuse.org/304911