tickets #167221
closedsecurity-tools repo signature validation failure
0%
Description
Hi SUSE admins,
We tried to install gettext-runtime in our SLES12 SP5 machine from download.opensuse.org and failed with Signature verification failed for file 'repomd.xml' from repository 'security-tools' from https://download.opensuse.org/repositories/security/SLE_12_SP5.
We also noticed that the particular security-tools repo is only updated less than a day ago, which do correspond to the timing of our outage. I have attached the full log from the VM for the zypper installation command.
Would you mind helping us investigating if this is something from the repo side? Thank you so much for your help!
Best,
John
zypper install --force-resolution --no-recommends gettext-runtime
Refreshing service 'Advanced_Systems_Management_Module_x86_64'.
Refreshing service 'Containers_Module_x86_64'.
Refreshing service 'HPC_Module_x86_64'.
Refreshing service 'Legacy_Module_x86_64'.
Refreshing service 'Public_Cloud_Module_x86_64'.
Refreshing service 'SUSE_Linux_Enterprise_Server_x86_64'.
Refreshing service 'SUSE_Linux_Enterprise_Software_Development_Kit_x86_64'.
Refreshing service 'Toolchain_Module_x86_64'.
Refreshing service 'Web_and_Scripting_Module_x86_64'.
Retrieving repository 'security-tools' metadata -------------------------------------------------------------------------------------------------------------------------------------------------------------------------[]
Signature verification failed for file 'repomd.xml' from repository 'security-tools'.
Note: Signing data enables the recipient to verify that no modifications occurred after the data
were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
and in extreme cases even to a system compromise.
Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
whole repo.
Warning: This file was modified after it has been signed. This may have been a malicious change,
so it might not be trustworthy anymore! You should not continue unless you know it's safe.
Signature verification failed for file 'repomd.xml' from repository 'security-tools'. Continue? yes/no: no
Retrieving repository 'security-tools' metadata .....................................................................................................................................................................[error]
Repository 'security-tools' is invalid.
[security-tools|https://download.opensuse.org/repositories/security/SLE_12_SP5/] Valid metadata not found at specified URL
Please check if the URIs defined for this repository are pointing to a valid repository.
Updated by malcolmlewis 3 months ago
- Status changed from New to Resolved
Hi
The Security Key was updated yesterday as per this notification;
https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/YVT6FO5QFKV7D6HLWV53UCYNPYMJKZ5E/
Updated by john.wang06@sap.com 3 months ago
- Status changed from Resolved to New
Dear SUSE admins,
Sorry for bogging you again, we may need to reopen #167221https://progress.opensuse.org/issues/167221#change-843901.
We are informed in #167221https://progress.opensuse.org/issues/167221#change-843901 that the signing key is rotated in the security devel project as per https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/YVT6FO5QFKV7D6HLWV53UCYNPYMJKZ5E/
However, it seems that the signing key is created shortly after the project is being build and caused signature validation failure due to this time-conflict:
gpg --verify repomd.xml.asc repomd.xml
gpg: Signature made Mon Sep 23 12:21:17 2024 UTC using RSA key ID 6DD785CA
gpg: public key 6DD785CA is 398 seconds newer than the signature
gpg: Can't check signature: Time conflict
This signing key can also be found here: https://build.opensuse.org/projects/security/signing_keys and the repomd files are pulled from https://download.opensuse.org/repositories/security/SLE_12_SP5/repodata/.
We are wondering if this is related to the signing key being manually created after the project’s build, and causes this validation failure? We can see that the signature was made on Sep 23 12:21:17 2024 UTC while the signing new key is created on Sep 23 12:27:55 2024.
Would you mind looking into this issue and let us know if it can be fixed up-stream? Thank you so much for your help again!
Best,
John
Here is a log snippet from zypper –verbose refresh that may help, we can see we are indeed pulling this new signing key but still failed the signature validation:
Checking whether to refresh metadata for security-tools
Retrieving: media ...............................................................................................................................................................................................[not found]
Retrieving: repomd.xml.asc ...........................................................................................................................................................................................[done]
Retrieving: repomd.xml.key ...........................................................................................................................................................................................[done]
Retrieving: repomd.xml ...............................................................................................................................................................................................[done]
Repository: security-tools
Key Name: security OBS Project security@build.opensuse.orgsecurity@build.opensuse.org
Key Fingerprint: F9FA0223 B56B116C 363737EF 5DA57BDD 6DD785CA
Key Created: Mon Sep 23 12:27:55 2024
Key Expires: Wed Dec 2 12:27:55 2026
Rpm Name: gpg-pubkey-6dd785ca-66f15ecb
Signature verification failed for file 'repomd.xml' from repository 'security-tools'.
Updated by crameleon 3 months ago
- Status changed from New to Closed
Hi,
sorry, but this is not part of the openSUSE infrastructure. You might want to consider reaching out to https://en.opensuse.org/openSUSE:Security_team.
Best,
Georg