Re: [opensuse-security] Signature verification failed for file 'repomd.xml' from repository 'openSUSE-11.1-Update'
Data corruption failure during transfer? Works on my system. thomas@bodhisattva:~/Desktop> sudo zypper refresh root's password: Repository 'openSUSE BuildService - GNOME:Community' is up to date. Repository 'openSUSE-11.1-Non-Oss' is up to date. Repository 'openSUSE-11.1-Oss' is up to date. Retrieving repository 'openSUSE-11.1-Update' metadata [done] Building repository 'openSUSE-11.1-Update' cache [done] Retrieving repository 'Packman Repository' metadata [done] Building repository 'Packman Repository' cache [done] Repository 'VideoLan Repository' is up to date. Repository 'thomasrjones' is up to date. All repositories have been refreshed. thomas@bodhisattva:~/Desktop> On Wed, 2009-04-01 at 17:41 +0200, Michael Ströder wrote:
HI!
What's up with this?
-------------------- snip -------------------- # zypper refresh Repository 'openSUSE-11.1-Non-Oss' is up to date. Signature verification failed for file 'repomd.xml' from repository 'openSUSE-11.1-Update'. Warning: This might be caused by a malicious change in the file! Continuing might be risky. Continue anyway? [yes/NO]: -------------------- snip --------------------
Ciao, Michael.
-- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Thomas R. Jones wrote:
On Wed, 2009-04-01 at 17:41 +0200, Michael Ströder wrote:
What's up with this?
-------------------- snip -------------------- # zypper refresh Repository 'openSUSE-11.1-Non-Oss' is up to date. Signature verification failed for file 'repomd.xml' from repository 'openSUSE-11.1-Update'. Warning: This might be caused by a malicious change in the file! Continuing might be risky. Continue anyway? [yes/NO]: -------------------- snip --------------------
Data corruption failure during transfer? Works on my system.
Hmm, I had tried it several times from different systems. Now it worked probably from another mirror. IMO zypper should display from which mirror server the repo file was obtained if signature verification failed. Ciao, Michael. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2009-04-01 at 18:43 +0200, Michael Ströder wrote:
Thomas R. Jones wrote:
On Wed, 2009-04-01 at 17:41 +0200, Michael Ströder wrote:
What's up with this?
-------------------- snip -------------------- # zypper refresh Repository 'openSUSE-11.1-Non-Oss' is up to date. Signature verification failed for file 'repomd.xml' from repository 'openSUSE-11.1-Update'. Warning: This might be caused by a malicious change in the file! Continuing might be risky. Continue anyway? [yes/NO]: -------------------- snip --------------------
Data corruption failure during transfer? Works on my system.
Hmm, I had tried it several times from different systems. Now it worked probably from another mirror. IMO zypper should display from which mirror server the repo file was obtained if signature verification failed.
I thought that metadata was obtained directly from the redirector in the case of OS11.1, not from the mirrors. Is repomd.xml considered metadata? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAknT/4QACgkQtTMYHG2NR9UGYwCfVFDlK7PikYi0WqZbFc2yFoU0 KSYAnjTB+U3FJQZ/m/XOrvc5qoOKEDqL =fIMz -----END PGP SIGNATURE-----
On Wed, Apr 01, 2009 at 06:43:16PM +0200, Michael Ströder wrote: [...]
Hmm, I had tried it several times from different systems. Now it worked probably from another mirror. IMO zypper should display from which mirror server the repo file was obtained if signature verification failed.
Yes, it should. That's why I requested this feature: https://features.opensuse.org/305320
Ciao, Michael.
Peter -- "WARNING: This bug is visible to non-employees. Please be respectful!" SUSE LINUX Products GmbH Research & Development
Peter Poeml wrote:
On Wed, Apr 01, 2009 at 06:43:16PM +0200, Michael Ströder wrote: [...]
Hmm, I had tried it several times from different systems. Now it worked probably from another mirror. IMO zypper should display from which mirror server the repo file was obtained if signature verification failed.
Yes, it should. That's why I requested this feature: https://features.opensuse.org/305320
Following up to a really old thread from April 2009. Now(!) it happens again. Signature verification failed for file 'repomd.xml' from repository 'openSUSE-11.1-Update'. Warning: This might be caused by a malicious change in the file! Continuing might be risky. Continue anyway? [yes/NO]: It seems to be the server pontifex.opensuse.org (195.135.221.130) Any clue what happened? Ciao, Michael. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Mon, Sep 21, 2009 at 04:58:51PM +0200, Michael Ströder wrote:
Peter Poeml wrote:
On Wed, Apr 01, 2009 at 06:43:16PM +0200, Michael Ströder wrote: [...]
Hmm, I had tried it several times from different systems. Now it worked probably from another mirror. IMO zypper should display from which mirror server the repo file was obtained if signature verification failed.
Yes, it should. That's why I requested this feature: https://features.opensuse.org/305320
Following up to a really old thread from April 2009.
Now(!) it happens again.
Signature verification failed for file 'repomd.xml' from repository 'openSUSE-11.1-Update'. Warning: This might be caused by a malicious change in the file! Continuing might be risky. Continue anyway? [yes/NO]:
It seems to be the server pontifex.opensuse.org (195.135.221.130)
Any clue what happened?
When we approve 2 updates in a row and the mirror is synching the metadata might come out of sync briefly. Just wait a bit and it should go away again. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Mon, Sep 21, 2009 at 05:08:03 +0200, Marcus Meissner wrote:
On Mon, Sep 21, 2009 at 04:58:51PM +0200, Michael Ströder wrote:
Peter Poeml wrote:
On Wed, Apr 01, 2009 at 06:43:16PM +0200, Michael Ströder wrote: [...]
Hmm, I had tried it several times from different systems. Now it worked probably from another mirror. IMO zypper should display from which mirror server the repo file was obtained if signature verification failed.
Yes, it should. That's why I requested this feature: https://features.opensuse.org/305320
Following up to a really old thread from April 2009.
Now(!) it happens again.
Signature verification failed for file 'repomd.xml' from repository 'openSUSE-11.1-Update'. Warning: This might be caused by a malicious change in the file! Continuing might be risky. Continue anyway? [yes/NO]:
It seems to be the server pontifex.opensuse.org (195.135.221.130)
Any clue what happened?
When we approve 2 updates in a row and the mirror is synching the metadata might come out of sync briefly.
Small correction - we never send requests on metadata to mirrors, so it doesn't matter at all in which state they are (provided that download.opensuse.org is used, and not a mirror directly). However, the metadata on download.opensuse.org obviously needs to be exchanged once in a while, and even though this is being done in a rather atomic fashion, a client could be downloading just during that time, which could lead to them seeing what you saw.
Just wait a bit and it should go away again.
Yes.
Ciao, Marcus
Peter -- Ars longa, vita brevis, occasio praeceps, experimentum periculosum, iudicium difficile. -Hippocrates (c. 400BC) SUSE LINUX Products GmbH Research & Development
participants (5)
-
Carlos E. R. -
Marcus Meissner -
Michael Ströder -
Peter Poeml -
Thomas R. Jones