My rpm-md style repository contains *both* repository metadata GPG
signatures (i.e. repomd.xml.asc) and RPM packages which have GPG
signatures, created via rpm --addsign.

On a YUM-based system (e.g., CentOS 7), I simply need to list all the
necessary URLs for both repository GPG and package signing public keys
with gpgkey=. When I update the metadata (via yum makecache) all
listed keys are automatically imported to the correct place; package
signing keys into rpm db and the repository signing key into the YUM

On OpenSUSE 42.3 with zypper 1.13.40 and libzypp 16.17.10, I have
noticed that none of the URLs specified with gpgkey= seem to be
imported even after I run zypper --gpg-auto-import-keys refresh
reponame. I have verified this by running rpm -qa | grep gpg-pubkey
and saw that the keys specified in the repository configuration file
were not imported to RPM DB. It seems that the only way to import a
package signing key on OpenSUSE 42.3 for an rpm-md style repository is
to run rpm --import file.key.

Is this a known issue? Perhaps I am doing something wrong; maybe there
is another command I should run to get zypper to import the keys
listed with gpgkey other than "refresh" ?

If my observation is correct that gpgkeys are not currently being
imported by zypper, there might be a relatively straightforward
solution: it appears that gpgkey URLs are being parsed from the repo
config, they just aren't being used. Perhaps in
RepoManager::Impl::refreshMetadata in addition to downloading the raw
repository metadata and repository signing key into the cache
directory, libzypp could also iterate across gpgKeyUrls() (via the
RepoInfo object reference which is passed in), download the keys, and
import them into rpm DB (if they have not already been imported).

To unsubscribe, e-mail:
To contact the owner, e-mail:

Reply via email to