openSUSE admin

Hi
The Security Key was updated yesterday as per this notification;
https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/YVT6FO5QFKV7D6HLWV53UCYNPYMJKZ5E/

Dear SUSE admins,

Sorry for bogging you again, we may need to reopen #167221https://progress.opensuse.org/issues/167221#change-843901.

We are informed in #167221https://progress.opensuse.org/issues/167221#change-843901 that the signing key is rotated in the security devel project as per https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/YVT6FO5QFKV7D6HLWV53UCYNPYMJKZ5E/

However, it seems that the signing key is created shortly after the project is being build and caused signature validation failure due to this time-conflict:

gpg --verify repomd.xml.asc repomd.xml
gpg: Signature made Mon Sep 23 12:21:17 2024 UTC using RSA key ID 6DD785CA
gpg: public key 6DD785CA is 398 seconds newer than the signature
gpg: Can't check signature: Time conflict

This signing key can also be found here: https://build.opensuse.org/projects/security/signing_keys and the repomd files are pulled from https://download.opensuse.org/repositories/security/SLE_12_SP5/repodata/.

We are wondering if this is related to the signing key being manually created after the project’s build, and causes this validation failure? We can see that the signature was made on Sep 23 12:21:17 2024 UTC while the signing new key is created on Sep 23 12:27:55 2024.

Would you mind looking into this issue and let us know if it can be fixed up-stream? Thank you so much for your help again!

Best,
John

Here is a log snippet from zypper –verbose refresh that may help, we can see we are indeed pulling this new signing key but still failed the signature validation:
Checking whether to refresh metadata for security-tools
Retrieving: media ...............................................................................................................................................................................................[not found]
Retrieving: repomd.xml.asc ...........................................................................................................................................................................................[done]
Retrieving: repomd.xml.key ...........................................................................................................................................................................................[done]
Retrieving: repomd.xml ...............................................................................................................................................................................................[done]
Repository: security-tools
Key Name: security OBS Project security@build.opensuse.orgsecurity@build.opensuse.org
Key Fingerprint: F9FA0223 B56B116C 363737EF 5DA57BDD 6DD785CA
Key Created: Mon Sep 23 12:27:55 2024
Key Expires: Wed Dec 2 12:27:55 2026
Rpm Name: gpg-pubkey-6dd785ca-66f15ecb
Signature verification failed for file 'repomd.xml' from repository 'security-tools'.

Hi,

sorry, but this is not part of the openSUSE infrastructure. You might want to consider reaching out to https://en.opensuse.org/openSUSE:Security_team.

Best,
Georg