On Friday 28 October 2016 01:16:26 Joe Damato wrote:
> Greetings:
>
> I was confused earlier today when trying to add a GPG-signed rpm-md
> type repository to my system. I noticed that zypper was listing the
> repository as not being signed. zypper refresh was telling me that the
> repository was signed with an unknown key and zypper lr was listing
> the repository as not supporting repo_gpgcheck.
>
> After some digging around the libzypper source (14.43.0) on my system
> (openSUSE 13.2) I believe I've tracked down the issue.
>
> The call to publicKeyExists in
> KeyRing::Impl::verifyFileSignatureWorkflow checks if the
> repomd.xml.asc signature's key ID is known. If the repomd.xml.asc was
> signed with a subkey of a GPG key (instead of a primary key), this
> check will fail even though the call to VerifyFile would succeed.
>
> Is this a known issue?

No. Thanks for hunting and reporting it. 

I opened a bug at https://bugzilla.suse.com/show_bug.cgi?id=1008325

Please be so kind to attach your repomd.xml, .asc and .key file to the bug,
so we can verify a fix.

-- 

cu,
    Michael Andres

+------------------------------------------------------------------+
Key fingerprint = 2DFA 5D73 18B1 E7EF A862  27AC 3FB8 9E3A 27C6 B0E4
+------------------------------------------------------------------+
Michael Andres       SUSE LINUX GmbH, Development,       m...@suse.com
Maxfeldstrasse 5, D-90409 Nuernberg, Germany, ++49 (0)911 - 74 053-0
+------------------------------------------------------------------+
SUSE Linux GmbH, GF: Felix Imend├Ârffer, Jane Smithard, Graham Norton
                    HRB 21284 (AG N├╝rnberg)
+------------------------------------------------------------------+
--
To unsubscribe, e-mail: zypp-devel+unsubscr...@opensuse.org
To contact the owner, e-mail: zypp-devel+ow...@opensuse.org

Reply via email to