[opensuse-security] Signature verification failed for file 'repomd.xml' from repository 'openSUSE-11.1-Update'
HI! What's up with this? -------------------- snip -------------------- # zypper refresh Repository 'openSUSE-11.1-Non-Oss' is up to date. Signature verification failed for file 'repomd.xml' from repository 'openSUSE-11.1-Update'. Warning: This might be caused by a malicious change in the file! Continuing might be risky. Continue anyway? [yes/NO]: -------------------- snip -------------------- Ciao, Michael. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Wed, Apr 01, 2009 at 05:41:48PM +0200, Michael Ströder wrote:
HI!
What's up with this?
-------------------- snip -------------------- # zypper refresh Repository 'openSUSE-11.1-Non-Oss' is up to date. Signature verification failed for file 'repomd.xml' from repository 'openSUSE-11.1-Update'.
You apparently didn't use download.opensuse.org; is that possible? You should, for security reasons. Update metadata for 11.1 (e.g. http://download.opensuse.org/update/11.1/repodata/repomd.xml) is always delivered directly, and not redirected to mirrors.
Warning: This might be caused by a malicious change in the file! Continuing might be risky. Continue anyway? [yes/NO]:
Sounds like either an attack, or you didn't use download.opensuse.org. Or you did, and still an attack. Third possibility, the signature was indeed incorrect on download.opensuse.org, might happen, if we do something wrong. Peter -- "WARNING: This bug is visible to non-employees. Please be respectful!" SUSE LINUX Products GmbH Research & Development
participants (2)
-
Michael Ströder -
Peter Poeml