I was confused earlier today when trying to add a GPG-signed rpm-md
type repository to my system. I noticed that zypper was listing the
repository as not being signed. zypper refresh was telling me that the
repository was signed with an unknown key and zypper lr was listing
the repository as not supporting repo_gpgcheck.

After some digging around the libzypper source (14.43.0) on my system
(openSUSE 13.2) I believe I've tracked down the issue.

The call to publicKeyExists in
KeyRing::Impl::verifyFileSignatureWorkflow checks if the
repomd.xml.asc signature's key ID is known. If the repomd.xml.asc was
signed with a subkey of a GPG key (instead of a primary key), this
check will fail even though the call to VerifyFile would succeed.

Is this a known issue?

Not sure what the best solution is for zypper, but one potential
solution would be to simply ask GPG to verify the signature using the
general keyring without first checking if a matching key id is in the
keyring. The logic in verifyFileSignatureWorkflow can then be
simplified as GPG would figure out if there's a matching key and this
issue would be avoided.

To unsubscribe, e-mail:
To contact the owner, e-mail:

Reply via email to