Thank you, that takes me to my next question, why was zypper presenting a new key for this repository yesterday? Those keys were created long ago and do not expire yet. I should have kept logs, but the new key showed "created" as just yesterday which made me raise an eyebrow and not accept it. The fingerprint was B53D3904 D1BECAC7 105515A8 03760D81 E373818A. Based on my Googling history, I searched for "gpg-pubkey-e373818a-60c873ba" as well, which can only mean I saw such file, however I cannot find anything anymore. Does anyone recognize that key? I switched the tumbleweed repo HTTPs and apparently I wasn't asked again about the new key. I don't see it anywhere when I do `zypper lr <repo>` for all my repos. Regards, -- Hector ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Wednesday, June 16th, 2021 at 3:42 PM, Marcus Meissner <meissner@suse.de> wrote:
On Wed, Jun 16, 2021 at 01:32:48PM +0000, Hector Sanjuan wrote:
Hello,
yesterday zypper complained about new package signing keys for:
http://download.opensuse.org/repositories/openSUSE:/Tumbleweed/standard/
However, I could not find a place to verify that the key shown to me (and which I guess should have corresponded to one of
gpg-pubkey-3dbdc284-53674dd4.asc
gpg-pubkey-39db7c82-5f68629b.asc
gpg-pubkey-307e3d54-5aaa90a5.asc
found in the repository) was legit. Are there announcements about key rotations?
Is there a secondary source where the signing keys are published other than the repo itself which is asking me about accepting its own new keys?
What do "307e3d54" and "5aaa90a5" in gpg-pubkey-307e3d54-5aaa90a5.asc mean, as it does not seem to be related to the key fingerprint ?
307e3d54 is the 32bit key id.
5aaa90a5 is a UNIX timestamp (seconds since jan 1 1970).
3dbdc284 is the openSUSE signing key. ( https://de.opensuse.org/openSUSE:Tumbleweed_installation references it for instance)
39db7c82 is the SUSE SLE 12 / SLE 15 signing key ( see https://www.suse.com/support/security/keys/ )
307e3d54 is the old SUSE SLE 11 signing key ( see same url)
The SLE keys should not be required on Tumbleweed.
openSUSE Leap 15.3 needs 3 keys:
- the SLE 12/15 key - the openSUSE key - and also the openSUSE Backports key. ( 64bit key id 0x9C214D4065176565 )
Ciao, Marcus