On 2022-05-12 15:19, cagsm wrote:

I was adding some non default repos on 15.4 just recently, and zypper ar ....

comes up with three fold question on whether to add some gpg key temporary or decline or add permanently or something. some longer key fingerprint is given.

how are the users supposed to check? also I still fail to understand where one can actually find this key with a second alternate means, I often try to fetch them from pgp.mit.edu but which is often overloaded and barely gives out suse build infrastructure keys. I often submit suse keys there whenever they are lacking them at mit.

Apparently, the PGP keyserver network is dead. Several servers do not respond anymore, and they don't seem to communicate keys across them. There existed, apparently, a <hkps://keyserver.opensuse.org/>, but the domain does not exist anymore. I think that there was an attack on such servers on 2019, filling them up with data till they crashed or they were disabled. I seem to recall that there was no way to remove those fake keys from the database. I don't know of a link explaining what happened.

anyhow as far as I remember there are some pubkeyfiles in the repo itself where zypper and rpm and whatnot fetch the keys from, but where else are they originally to be found? what would be the primary source for these projects and subprojects and buildinfrastructure etc?

is there a pgp keyserver at opensuse actually for all their projects and users and staff keys and so on?

what is the way a normal user is to behave with that zypper user dialog or also yast dialogs when adding repos, be it open/suse public pgp keys or others?

how are you guys doing this step of establishing and verifying trusts? ty

Good questions. -- Cheers / Saludos, Carlos E. R. (from 15.3 x86_64 at Telcontar)