[opensuse] zypper: really no check for expiration of gpg keys?
Hi, Meta data in OBS repo-md repositories (i.e., repomd. is usually signed with gpg. It seems that zypper does not check expiration of used gpg keys. (zypper 1.0.13 on openSUSE 11.1, in case that matters.) As an example: http://download.opensuse.org/repositories/Apache:/MirrorBrain/Apache_openSUS... has a key that expired at April 1, 2010; i.e., 12 days ago. (The key has ID 0xBD6D129A and fingerprint EDDD C98D 96A0 F889 9AB0 7C78 9584 A164 BD6D 129A.) I would have expected a warning or an error when this repository is refreshed, but nothing as such happens. Is this known behaviour? An error in my configuration? A bug? A change request. Any comments would be welcome, Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 13 April 2010 00:16:29 Joachim Schrod wrote:
Meta data in OBS repo-md repositories (i.e., repomd. is usually signed with gpg. It seems that zypper does not check expiration of used gpg keys.
You are right. We should check and display a warning. I filed a bugreport for this at https://bugzilla.novell.com/show_bug.cgi?id=596037. -- cu, Michael Andres +------------------------------------------------------------------+ Key fingerprint = 2DFA 5D73 18B1 E7EF A862 27AC 3FB8 9E3A 27C6 B0E4 +------------------------------------------------------------------+ Michael Andres YaST Development ma@novell.com SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) Maxfeldstrasse 5, D-90409 Nuernberg, Germany, ++49 (0)911 - 740 53-0 +------------------------------------------------------------------+ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, Apr 13, 2010 at 12:16:29AM +0200, Joachim Schrod wrote:
Meta data in OBS repo-md repositories (i.e., repomd. is usually signed with gpg. It seems that zypper does not check expiration of used gpg keys. (zypper 1.0.13 on openSUSE 11.1, in case that matters.)
As an example: http://download.opensuse.org/repositories/Apache:/MirrorBrain/Apache_openSUS... has a key that expired at April 1, 2010; i.e., 12 days ago. (The key has ID 0xBD6D129A and fingerprint EDDD C98D 96A0 F889 9AB0 7C78 9584 A164 BD6D 129A.)
I would have expected a warning or an error when this repository is refreshed, but nothing as such happens.
Same as with rpm ;-) Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Markus Rex, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Joachim Schrod -
Michael Andres -
Michael Schroeder