Hello, yesterday zypper complained about new package signing keys for: [http://download.opensuse.org/repositories/openSUSE:/Tumbleweed/standard/](https://download.opensuse.org/repositories/openSUSE:/Tumbleweed/standard/) However, I could not find a place to verify that the key shown to me (and which I guess should have corresponded to one of gpg-pubkey-3dbdc284-53674dd4.asc gpg-pubkey-39db7c82-5f68629b.asc gpg-pubkey-307e3d54-5aaa90a5.asc found in the repository) was legit. Are there announcements about key rotations? Is there a secondary source where the signing keys are published other than the repo itself which is asking me about accepting its own new keys? What do "307e3d54" and "5aaa90a5" in gpg-pubkey-307e3d54-5aaa90a5.asc mean, as it does not seem to be related to the key fingerprint ? The fact that half of my repos were added with HTTP by default (1-click-installs etc) and that I could not readily verify if new keys are legit defeats a lot of the purpose of having signed packages. Regards, -- Hector
On Wed, Jun 16, 2021 at 01:32:48PM +0000, Hector Sanjuan wrote:
Hello,
yesterday zypper complained about new package signing keys for:
However, I could not find a place to verify that the key shown to me (and which I guess should have corresponded to one of
gpg-pubkey-3dbdc284-53674dd4.asc gpg-pubkey-39db7c82-5f68629b.asc gpg-pubkey-307e3d54-5aaa90a5.asc
found in the repository) was legit. Are there announcements about key rotations?
Is there a secondary source where the signing keys are published other than the repo itself which is asking me about accepting its own new keys?
What do "307e3d54" and "5aaa90a5" in gpg-pubkey-307e3d54-5aaa90a5.asc mean, as it does not seem to be related to the key fingerprint ?
307e3d54 is the 32bit key id. 5aaa90a5 is a UNIX timestamp (seconds since jan 1 1970). 3dbdc284 is the openSUSE signing key. ( https://de.opensuse.org/openSUSE:Tumbleweed_installation references it for instance) 39db7c82 is the SUSE SLE 12 / SLE 15 signing key ( see https://www.suse.com/support/security/keys/ ) 307e3d54 is the old SUSE SLE 11 signing key ( see same url) The SLE keys should not be required on Tumbleweed. openSUSE Leap 15.3 needs 3 keys: - the SLE 12/15 key - the openSUSE key - and also the openSUSE Backports key. ( 64bit key id 0x9C214D4065176565 ) Ciao, Marcus
Thank you, that takes me to my next question, why was zypper presenting a new key for this repository yesterday? Those keys were created long ago and do not expire yet. I should have kept logs, but the new key showed "created" as just yesterday which made me raise an eyebrow and not accept it. The fingerprint was B53D3904 D1BECAC7 105515A8 03760D81 E373818A. Based on my Googling history, I searched for "gpg-pubkey-e373818a-60c873ba" as well, which can only mean I saw such file, however I cannot find anything anymore. Does anyone recognize that key? I switched the tumbleweed repo HTTPs and apparently I wasn't asked again about the new key. I don't see it anywhere when I do `zypper lr <repo>` for all my repos. Regards, -- Hector ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Wednesday, June 16th, 2021 at 3:42 PM, Marcus Meissner <meissner@suse.de> wrote:
On Wed, Jun 16, 2021 at 01:32:48PM +0000, Hector Sanjuan wrote:
Hello,
yesterday zypper complained about new package signing keys for:
http://download.opensuse.org/repositories/openSUSE:/Tumbleweed/standard/
However, I could not find a place to verify that the key shown to me (and which I guess should have corresponded to one of
gpg-pubkey-3dbdc284-53674dd4.asc
gpg-pubkey-39db7c82-5f68629b.asc
gpg-pubkey-307e3d54-5aaa90a5.asc
found in the repository) was legit. Are there announcements about key rotations?
Is there a secondary source where the signing keys are published other than the repo itself which is asking me about accepting its own new keys?
What do "307e3d54" and "5aaa90a5" in gpg-pubkey-307e3d54-5aaa90a5.asc mean, as it does not seem to be related to the key fingerprint ?
307e3d54 is the 32bit key id.
5aaa90a5 is a UNIX timestamp (seconds since jan 1 1970).
3dbdc284 is the openSUSE signing key. ( https://de.opensuse.org/openSUSE:Tumbleweed_installation references it for instance)
39db7c82 is the SUSE SLE 12 / SLE 15 signing key ( see https://www.suse.com/support/security/keys/ )
307e3d54 is the old SUSE SLE 11 signing key ( see same url)
The SLE keys should not be required on Tumbleweed.
openSUSE Leap 15.3 needs 3 keys:
- the SLE 12/15 key - the openSUSE key - and also the openSUSE Backports key. ( 64bit key id 0x9C214D4065176565 )
Ciao, Marcus
Hi, It should not have been presented by zypper ... really from the Tumbleweed repo, not from another repo? Due to the openSUSE-build-key package update I would guess there on the system, but this would not show on zypper. Ciao, Marcus On Wed, Jun 16, 2021 at 02:16:26PM +0000, Hector Sanjuan wrote:
Thank you,
that takes me to my next question, why was zypper presenting a new key for this repository yesterday? Those keys were created long ago and do not expire yet.
I should have kept logs, but the new key showed "created" as just yesterday which made me raise an eyebrow and not accept it.
The fingerprint was B53D3904 D1BECAC7 105515A8 03760D81 E373818A.
Based on my Googling history, I searched for "gpg-pubkey-e373818a-60c873ba" as well, which can only mean I saw such file, however I cannot find anything anymore. Does anyone recognize that key?
I switched the tumbleweed repo HTTPs and apparently I wasn't asked again about the new key. I don't see it anywhere when I do `zypper lr <repo>` for all my repos.
Regards, -- Hector
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, June 16th, 2021 at 3:42 PM, Marcus Meissner <meissner@suse.de> wrote:
On Wed, Jun 16, 2021 at 01:32:48PM +0000, Hector Sanjuan wrote:
Hello,
yesterday zypper complained about new package signing keys for:
http://download.opensuse.org/repositories/openSUSE:/Tumbleweed/standard/
However, I could not find a place to verify that the key shown to me (and which I guess should have corresponded to one of
gpg-pubkey-3dbdc284-53674dd4.asc
gpg-pubkey-39db7c82-5f68629b.asc
gpg-pubkey-307e3d54-5aaa90a5.asc
found in the repository) was legit. Are there announcements about key rotations?
Is there a secondary source where the signing keys are published other than the repo itself which is asking me about accepting its own new keys?
What do "307e3d54" and "5aaa90a5" in gpg-pubkey-307e3d54-5aaa90a5.asc mean, as it does not seem to be related to the key fingerprint ?
307e3d54 is the 32bit key id.
5aaa90a5 is a UNIX timestamp (seconds since jan 1 1970).
3dbdc284 is the openSUSE signing key. ( https://de.opensuse.org/openSUSE:Tumbleweed_installation references it for instance)
39db7c82 is the SUSE SLE 12 / SLE 15 signing key ( see https://www.suse.com/support/security/keys/ )
307e3d54 is the old SUSE SLE 11 signing key ( see same url)
The SLE keys should not be required on Tumbleweed.
openSUSE Leap 15.3 needs 3 keys:
- the SLE 12/15 key - the openSUSE key - and also the openSUSE Backports key. ( 64bit key id 0x9C214D4065176565 )
Ciao, Marcus
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, June 16th, 2021 at 3:42 PM, Marcus Meissner meissner@suse.de wrote:
On Wed, Jun 16, 2021 at 01:32:48PM +0000, Hector Sanjuan wrote:
Hello,
yesterday zypper complained about new package signing keys for:
http://download.opensuse.org/repositories/openSUSE:/Tumbleweed/standard/
However, I could not find a place to verify that the key shown to me (and which I guess should have corresponded to one of
gpg-pubkey-3dbdc284-53674dd4.asc
gpg-pubkey-39db7c82-5f68629b.asc
gpg-pubkey-307e3d54-5aaa90a5.asc
found in the repository) was legit. Are there announcements about key rotations?
Is there a secondary source where the signing keys are published other than the repo itself which is asking me about accepting its own new keys?
What do "307e3d54" and "5aaa90a5" in gpg-pubkey-307e3d54-5aaa90a5.asc mean, as it does not seem to be related to the key fingerprint ?
307e3d54 is the 32bit key id.
5aaa90a5 is a UNIX timestamp (seconds since jan 1 1970).
3dbdc284 is the openSUSE signing key. ( https://de.opensuse.org/openSUSE:Tumbleweed_installation references it for instance)
39db7c82 is the SUSE SLE 12 / SLE 15 signing key ( see https://www.suse.com/support/security/keys/ )
307e3d54 is the old SUSE SLE 11 signing key ( see same url)
The SLE keys should not be required on Tumbleweed.
openSUSE Leap 15.3 needs 3 keys:
- the SLE 12/15 key
- the openSUSE key
- and also the openSUSE Backports key. ( 64bit key id 0x9C214D4065176565 )
Ciao, Marcus
On Wed, Jun 16, 2021 at 02:16:26PM +0000, Hector Sanjuan wrote:
Thank you,
that takes me to my next question, why was zypper presenting a new key for this repository yesterday? Those keys were created long ago and do not expire yet.
I should have kept logs, but the new key showed "created" as just yesterday which made me raise an eyebrow and not accept it.
The fingerprint was B53D3904 D1BECAC7 105515A8 03760D81 E373818A.
Based on my Googling history, I searched for "gpg-pubkey-e373818a-60c873ba" as well, which can only mean I saw such file, however I cannot find anything anymore. Does anyone recognize that key?
I switched the tumbleweed repo HTTPs and apparently I wasn't asked again about the new key. I don't see it anywhere when I do `zypper lr <repo>` for all my repos.
Regards, --------
Hector
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, June 16th, 2021 at 4:53 PM, Marcus Meissner <meissner@suse.de> wrote:
Hi,
It should not have been presented by zypper ... really from the Tumbleweed repo, not from another repo?
Due to the openSUSE-build-key package update I would guess there on the system, but this would not
show on zypper.
Ciao, Marcus
Hi, (re-arranged email for bottom posting now, sorry for not respecting it before) I now it sounds hard to believe but I don't have any other repo signed with that key (E373818A). The gpg-pubkey RPM for that key is not installed (I did not accept it in the end). Zypper proposed it for http://download.opensuse.org/repositories/openSUSE:/Tumbleweed/standard/. The key name was official looking (something like "openSUSE Project Signing Key"). It was shown as created yesterday (15/6/2021) and expired on 2025 I think. It was just weird that a key for an official repo was updated right on the day I refreshed the repos and this made me start looking around for it, googling it and eventually asking here. The fact I could not find it anywhere worried me and here we are tracking a ghost. If there is any plausible explanation other than that I've been MitM'ed, I'd like to hear it :). For example, is download.opensuse.org using 3rd party mirrors under the hood? Hector
participants (2)
-
Hector Sanjuan -
Marcus Meissner