|
Bugzilla – Full Text Bug Listing |
| Summary: | rpm spits warnings about unsupported key format | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Tumbleweed | Reporter: | Dominique Leuenberger <dimstar> |
| Component: | Basesystem | Assignee: | Michael Schröder <mls> |
| Status: | RESOLVED INVALID | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | abittner, jnelson-suse, lnussel, meissner |
| Version: | Current | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Dominique Leuenberger
2017-03-13 08:17:40 UTC
> rpm -vv -qf /etc
ufdio: 1 reads, 18883 total bytes in 0.000006 secs
D: loading keyring from pubkeys in /var/lib/rpm/pubkeys/*.key
D: couldn't find any keys in /var/lib/rpm/pubkeys/*.key
D: loading keyring from rpmdb
D: opening db environment /var/lib/rpm cdb:private:0x201
D: opening db index /var/lib/rpm/Packages 0x400 mode=0x0
D: locked db index /var/lib/rpm/Packages
D: opening db index /var/lib/rpm/Name nofsync:0x400 mode=0x0
D: read h# 168 Header sanity check: OK
warning: Unsupported version of key: V3
D: read h# 335 Header sanity check: OK
D: added key gpg-pubkey-7e2e3b05-4be037ca to keyring
D: read h# 390 Header sanity check: OK
D: added key gpg-pubkey-0f2672c8-47965633 to keyring
D: read h# 991 Header sanity check: OK
D: added key gpg-pubkey-307e3d54-4be01a65 to keyring
D: read h# 1337 Header sanity check: OK
D: added key gpg-pubkey-56b4177a-4be18cab to keyring
D: read h# 1460 Header sanity check: OK
D: added key gpg-pubkey-7fac5991-4615767f to keyring
D: read h# 1908 Header sanity check: OK
D: added key gpg-pubkey-61e7d06c-47d96e43 to keyring
D: read h# 2178 Header sanity check: OK
D: added key gpg-pubkey-0dfb3188-41ed929b to keyring
D: read h# 2515 Header sanity check: OK
D: added key gpg-pubkey-9c800aca-4be01999 to keyring
D: read h# 79229 Header SHA1 digest: OK (45a1e26d1637acda31e6e5e86346bb96826c387c)
D: added key gpg-pubkey-e2c0098c-51110be7 to keyring
D: read h# 90969 Header SHA1 digest: OK (3bf238baa0085e2a2056fbef8d6a024dc58d650b)
D: added key gpg-pubkey-03579c1d-511a33f2 to keyring
D: read h# 125477 Header SHA1 digest: OK (2701a9ca757a1356dd9741936f1d2e2c5bd1425a)
D: added key gpg-pubkey-c5c219e7-51236685 to keyring
D: read h# 137418 Header SHA1 digest: OK (c8f5fea737ff3dd928e9dbd98f2a9782b0cb3506)
D: added key gpg-pubkey-23b66a9d-3adb5504 to keyring
D: read h# 137419 Header SHA1 digest: OK (be30f6351378c1aad11ff573c3ce8c786bf9e601)
D: added key gpg-pubkey-5e3d7775-42d297af to keyring
D: read h# 185993 Header SHA1 digest: OK (ba39cce3058b779ce090bea6d04ff0eaf74327a0)
D: added key gpg-pubkey-eefefde9-5076c73f to keyring
D: read h# 186555 Header SHA1 digest: OK (2b3e616f8b6524d081cc22a0bb22378670a02454)
D: added key gpg-pubkey-1421fc5a-53b3f6f4 to keyring
D: read h# 187142 Header SHA1 digest: OK (121869ebdc8e8ddf647915a929aa17a985500257)
D: added key gpg-pubkey-3dbdc284-53674dd4 to keyring
D: read h# 189485 Header SHA1 digest: OK (6f1ea6506ef7739d0a139988a310413bb1ccc947)
D: added key gpg-pubkey-c862b42c-5389b0bf to keyring
D: read h# 203280 Header SHA1 digest: OK (2f68ecf40a165a44aec82c10ef586dfb8cf5f72a)
D: added key gpg-pubkey-5df6ed1f-5463416c to keyring
D: read h# 210878 Header SHA1 digest: OK (7bc29a77cc44267e3151fb64abc818de4fd066b7)
D: added key gpg-pubkey-ba684223-54d8c254 to keyring
D: read h# 236314 Header SHA1 digest: OK (efa784d9a788b9c7a2f0d6f951cc706432f6da49)
D: added key gpg-pubkey-c8da93d2-56548fdc to keyring
D: read h# 257530 Header SHA1 digest: OK (f96428a092d5ea0e33eb131fba01bf31fde13573)
D: added key gpg-pubkey-cbdf5e8f-55794d4b to keyring
D: read h# 261950 Header SHA1 digest: OK (9c8638c61cdffc5cdac0b124e13b516fdcb11798)
D: added key gpg-pubkey-629ff0c2-578df563 to keyring
D: read h# 266204 Header SHA1 digest: OK (4cf4178e6c9632189f6815f73288dbbce7196ad3)
D: added key gpg-pubkey-557beff9-57e83d02 to keyring
D: read h# 280740 Header SHA1 digest: OK (9aba47f074e30f91db8a189f13d7a5630a4282f8)
D: added key gpg-pubkey-d38b4796-570c8cd3 to keyring
D: added subkey 0 of main key gpg-pubkey-d38b4796-570c8cd3 to keyring
D: read h# 280764 Header SHA1 digest: OK (6c4f95af9c75968db1da9516c1c12144d451e910)
D: added key gpg-pubkey-a1912208-446a0899 to keyring
D: Using legacy gpg-pubkey(s) from rpmdb
D: opening db index /var/lib/rpm/Basenames nofsync:0x400 mode=0x0
D: read h# 279125 Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
filesystem-13.3-12.1.x86_64
D: closed db index /var/lib/rpm/Packages
D: closed db index /var/lib/rpm/Basenames
D: closed db index /var/lib/rpm/Name
D: closed db environment /var/lib/rpm
That's not a bug. Do not add unsupported keys. Please remove the #168 key (rpm -q --querybynumber 168) ok - so seems I need to cleanout some of the keys.. FTR: it's SUSE's security key: > rpm -qi gpg-pubkey-3d25d3d9-36e12d04 warning: Unsupported version of key: V3 Name : gpg-pubkey Version : 3d25d3d9 Release : 36e12d04 Architecture: (none) Install Date: Tue 06 Jul 2010 07:39:17 AM CEST Group : Public Keys Size : 0 License : pubkey Signature : (none) Source RPM : (none) Build Date : Tue 06 Jul 2010 07:39:17 AM CEST Build Host : localhost Relocations : (not relocatable) Summary : gpg(SuSE Security Team <security@suse.de>) Description : Distribution: (none) So, having an old system obviously accumulates old keys - which causes this kind of warnings. Marcus, do you want to convert the security pubkey to version 4? WHy is this marked as invalid? Many people such as myself have been upgrading their openSUSE installs for many years and releases, and are likely to have /through no fault of their own/ accumulated many (now deprecated) keys. It seems reasonable to me to provide a mechanism to identify and remove these keys, if they are no longer supported, instead of just grumping about them forever. 100% of the keys that are being grumped about on my system have come from either installs from the OBS or are even older keys installed such as: - gpg(openSUSE Project Signing Key <opensuse@opensuse.org>) - gpg(security OBS Project <security@build.opensuse.org>) - gpg(server:monitoring OBS Project <server:monitoring@build.opensuse.org>) - gpg(system:snappy OBS Project <system:snappy@build.opensuse.org>) etc... Please consider changing this from RESOLVED as INVALID the mechanism is given in this bugthread. dl also lists the details in his website <http://dominique.leuenberger.net/blog/2017/03/zypper-and-rpm-says-warning-unsupported-version-of-key-v3/> the error message doesnt derail your installation or upgrade it is just a hint. remove those/that old opensuse key, preferrably on all my older systems it was always: rpm -e gpg-pubkey-3d25d3d9-36e12d04 which fixed the issue and removed the v3 notification messages from both rpm and zypper. I understand that, but I'm not sure you can expect every user (especially less experienced users!) of openSUSE to search for the issue, find this bug (or a post on a forum), and try those steps. Ludwig:
As this is mostly about our own key: maybe we could obsolete it by openSUSe-release? This would at least clean up for most users.
IIRC, in TW, we have a weak removed for this in place:
zypper info --provides openSUSE-release | grep gpg-pubkey-3d25d3d9-36e12d04
weakremover(gpg-pubkey-3d25d3d9-36e12d04)
might be worthy to add the same on Leap 15 too
this is actually part of
./MANUAL_OBSOLETES/packages:=Pkg: gpg-pubkey-3d25d3d9-36e12d04 1.0 1.0 x86_64
Isn't that used when generating the drop list on Leap?
No but I'll add it manually to openSUSE-release.spec.in |