On Wed, Jun 16, 2021 at 01:32:48PM +0000, Hector Sanjuan wrote:
Hello,
yesterday zypper complained about new package signing keys for:
However, I could not find a place to verify that the key shown to me (and which I guess should have corresponded to one of
gpg-pubkey-3dbdc284-53674dd4.asc gpg-pubkey-39db7c82-5f68629b.asc gpg-pubkey-307e3d54-5aaa90a5.asc
found in the repository) was legit. Are there announcements about key rotations?
Is there a secondary source where the signing keys are published other than the repo itself which is asking me about accepting its own new keys?
What do "307e3d54" and "5aaa90a5" in gpg-pubkey-307e3d54-5aaa90a5.asc mean, as it does not seem to be related to the key fingerprint ?
307e3d54 is the 32bit key id. 5aaa90a5 is a UNIX timestamp (seconds since jan 1 1970). 3dbdc284 is the openSUSE signing key. ( https://de.opensuse.org/openSUSE:Tumbleweed_installation references it for instance) 39db7c82 is the SUSE SLE 12 / SLE 15 signing key ( see https://www.suse.com/support/security/keys/ ) 307e3d54 is the old SUSE SLE 11 signing key ( see same url) The SLE keys should not be required on Tumbleweed. openSUSE Leap 15.3 needs 3 keys: - the SLE 12/15 key - the openSUSE key - and also the openSUSE Backports key. ( 64bit key id 0x9C214D4065176565 ) Ciao, Marcus