On Friday 28 June 2024 00:52:09 masber masber wrote:

Dear zypper community,

I have a community sonatype nexus repository, I would like to install a package but I am getting the following error:

HEADER V3 RSA/SHA256 Signature, Key ID: XXXXX NOKEY

I have the impression this is a sonatype error but I don't know what to explain to them so they can tell me whats wrong or how to fix it since this may be a zypper error message and other developers may not be familiar with it.

could you please guide on what this error means and triggers it so I can explain to sonatype community?

The error message originates from rpm: Rpm packages may be signed by the issuer using his gpg-key. When the package is to be installed on a system, rpm tries to check this signature to be sure no-one tampered with the package on it's way from the issuer to the user. Rpm maintains a set of known and trusted gpg-keys in it's database. They are stored as gpg-pubkey pseudo packages (rpm -qi gpg-pubkey). These keys can be removed like packages (rpm -e) and added via (rpm --import KEYFILE). The above message tells that the package was signed by a gpg-key with ID: XXXXX. The key however is not available in the rpmdb (NOKEY). So rpm is not able to verify the authenticity of the package. In an ideal zypper-world, the repositories metadata are also signed with the issuers key. When you add the repository and the signing key is not in the rpmdb, zypper asks whether you want to trust the issuers key - if this key is shipped along with the repo. Your job is to make sure the key's fingerprint is actually the one used by the issuer. Many issuers e.g. publish the keys they use on their website. Once confirmed, zypper imports this key into the rpm database. Packages signed with this key can now be installed without his warning. In addition zypper (as default) allows to install packages with a missing key, IF the repository metadata describing the package were signed with a trusted key AND the local rpm package matches the checksum mentioned in the signed metadata. So if the sonatype community repo signs it's packages, they will also have the gpg-key published somewhere (on their website or along with the repo...). Download the key to a local KEYFILE; call (as root) `rpm --import KEYFILE` and packages signed with this key will be installed without this warning. -- cu, Michael Andres +------------------------------------------------------------------+ Key fingerprint = 2DFA 5D73 18B1 E7EF A862 27AC 3FB8 9E3A 27C6 B0E4 +------------------------------------------------------------------+ Michael Andres (he/him/his), Engineering & Innovation, ma@suse.com +------------------------------------------------------------------+ SUSE Software Solutions Germany GmbH www.suse.com Frankenstr. 146, 90461 Nuernberg, Germany Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg) +------------------------------------------------------------------+