Greetings: I was confused earlier today when trying to add a GPG-signed rpm-md type repository to my system. I noticed that zypper was listing the repository as not being signed. zypper refresh was telling me that the repository was signed with an unknown key and zypper lr was listing the repository as not supporting repo_gpgcheck.
After some digging around the libzypper source (14.43.0) on my system (openSUSE 13.2) I believe I've tracked down the issue. The call to publicKeyExists in KeyRing::Impl::verifyFileSignatureWorkflow checks if the repomd.xml.asc signature's key ID is known. If the repomd.xml.asc was signed with a subkey of a GPG key (instead of a primary key), this check will fail even though the call to VerifyFile would succeed. Is this a known issue? Not sure what the best solution is for zypper, but one potential solution would be to simply ask GPG to verify the signature using the general keyring without first checking if a matching key id is in the keyring. The logic in verifyFileSignatureWorkflow can then be simplified as GPG would figure out if there's a matching key and this issue would be avoided. Thanks, Joe -- To unsubscribe, e-mail: zypp-devel+unsubscr...@opensuse.org To contact the owner, e-mail: zypp-devel+ow...@opensuse.org
