Bug 1036659

Summary: PackageKit deletes KDE:Extra repo gpg key
Product: [openSUSE] openSUSE Tumbleweed Reporter: Maximilian Trummer <opensuse>
Component: libzyppAssignee: E-mail List <zypp-maintainers>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: alexvkaam, dimstar, fvogt, ma, mail, maint-coord, meissner, wbauer, zypp-maintainers
Version: Current   
Target Milestone: ---   
Hardware: x86-64   
OS: SUSE Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: packagekit log, line 95 shows "Deleted key 20F8C4F40D210A40", which is the KDE:Extra repo key

Description Maximilian Trummer 2017-04-27 19:37:55 UTC 
Created attachment 723027 [details]
packagekit log, line 95 shows "Deleted key 20F8C4F40D210A40", which is the KDE:Extra repo key

PackageKit deletes the gpg key for the KDE:Extra repo upon refreshing its cache.

See also here:
https://forums.opensuse.org/showthread.php/523966-PackageKit-deletes-gpg-key
http://lists.opensuse.org/opensuse-factory/2017-04/msg00053.html
Comment 1 Wolfgang Bauer 2017-04-27 23:01:27 UTC 
PackageKit is not a KDE Application, it's maintained by the GNOME team.
Comment 2 Dominique Leuenberger 2017-04-28 12:22:24 UTC 
@Jonathan: I suspect the latest patch addition to be responsible here.

especially
+               // keys no longer stored in the rpmdb need to be removed from the zypp keyring!
+               for (const PublicKeyData &el : zypp->keyRing ()->trustedPublicKeyData ())
Comment 3 Jonathan Kang 2017-05-19 03:24:58 UTC 
(In reply to Dominique Leuenberger from comment #2)
> @Jonathan: I suspect the latest patch addition to be responsible here.
> 
> especially
> +               // keys no longer stored in the rpmdb need to be removed
> from the zypp keyring!
> +               for (const PublicKeyData &el : zypp->keyRing
> ()->trustedPublicKeyData ())

Those codes are written based on the demo provided in bug#899755 by
Michael Andres. I didn't understand every piece of those codes.

@Michael
Could you please help take a look at this?

Thanks.
Comment 4 Michael Andres 2017-05-19 08:48:23 UTC 
This will need some more investigation, and I need to get the build key (0D210A40).

Authority for the trusted gpg keys is the rpm database, so the zypp trusted keyring must be in sync with the keys stored in the rpm database (the gpg-pubkey pseudo packages).

> [zypp] RpmDb.cc(syncTrustedKeys):966 Going to sync trusted keys...
> [zypp++] RpmDb.cc(computeKeyRingSync):946 gpg-pubkey-0d210a40-581257c6 R_
>                                                      ^^^^^^^^^^^^^^^^^
> [zypp++] RpmDb.cc(computeKeyRingSync):946 gpg-pubkey-307e3d54-4be01a65 R_
> [zypp++] RpmDb.cc(computeKeyRingSync):946 gpg-pubkey-3dbdc284-53674dd4 R_
> [zypp] RpmDb.cc(syncTrustedKeys):970 Rpm keys to export into zypp trusted keyring: 3
> [zypp] RpmDb.cc(syncTrustedKeys):971 Zypp trusted keys to import into rpm database: 0
> [zypp] RpmDb.cc(syncTrustedKeys):977 Exporting rpm keyring into zypp trusted keyring

The initial sync finds key 0d210a40 (creation time -581257c6) int the rpm database. After import into the gpg keyring, the creation time changed to '-581257c7':

> Found keys: {
>    [20F8C4F40D210A40-581257c7] [KDE:Extra OBS Project <KDE:Extra@build.opensuse.org>]
>                            ^^
>    [B88B2FD43DBDC284-53674dd4] [openSUSE Project Signing Key <opensuse@opensuse.org>]
>    [E3A5C360307E3D54-4be01a65] [SuSE Package Signing Key <build@suse.de>]
> }

It almost looks like the key in PKs trusted zypp keyring (from a previous sync) is 1 second newer than the one now in the rpm database. This is where the trouble starts. 

> [zypp++] RpmDb.cc(updateIf):909 Old key in Z: gpg-pubkey-0d210a40-581257c6
> [zypp++] RpmDb.cc(computeKeyRingSync):946 gpg-pubkey-0d210a40-581257c7 _Z
>                                             in Zypp but not in Rpm: ^^ ^^
> [zypp++] RpmDb.cc(computeKeyRingSync):946 gpg-pubkey-307e3d54-4be01a65 RZ
> [zypp++] RpmDb.cc(computeKeyRingSync):946 gpg-pubkey-3dbdc284-53674dd4 RZ

PKs attempt to remove ....c7 from the keyring is correct.
But it also leads to removal of the older ....c6 in the rpm database, which is a zypp issue (no matter if the 1 second difference is real (2 keys) or due to rpm/zypp/gpg compute the creation time differently).


Anyway, these key handling details are nothing PK should care about. I'll add some method to target->rpmDb(), which will load the rpmdb trusted keys in manner sufficient for this usecase. Then you will just have to call this methods and the details go into libzypp.
Comment 5 Fabian Vogt 2017-07-05 10:49:06 UTC 
Ping.

This seems to happen for other repos as well.
Comment 6 Fabian Vogt 2017-07-05 10:49:24 UTC 
*** Bug 1047285 has been marked as a duplicate of this bug. ***
Comment 7 Michael Andres 2017-07-06 10:48:52 UTC 
*** Bug 1047285 IS NO DUPLICATE of this bug. ***
Comment 8 Michael Andres 2017-07-19 09:52:14 UTC 
I'm taking the bug. It's definitely a zypp problem and nothing Pk can work around.
Comment 9 Michael Andres 2017-07-21 09:59:32 UTC 
Libzypp and rpm disagreed on the keys creation time. Fixed in libzypp-16.15.2.
Comment 10 Dieter Nützel 2017-08-14 00:35:57 UTC 
(In reply to Michael Andres from comment #9)
> Libzypp and rpm disagreed on the keys creation time. Fixed in
> libzypp-16.15.2.

Can't find this version in _current_ Tumbleweed (openSUSE-release-20170810-1.4).
When will this arrive?

Thanks,
Dieter
Comment 11 Michael Andres 2017-08-14 10:48:34 UTC 
Friday I submitted 16.15.3, maybe this superseded the pending update.
Comment 12 Dieter Nützel 2017-08-19 01:26:14 UTC 
Finally upstream. --- Thank you!
Could be CLOSED.

Dieter
Comment 13 Swamp Workflow Management 2017-08-25 16:23:54 UTC 
SUSE-SU-2017:2264-1: An update that solves three vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1009745,1036659,1038984,1043218,1045735,1046417,1047785,1048315
CVE References: CVE-2017-7435,CVE-2017-7436,CVE-2017-9269
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    libzypp-16.15.3-2.3.1, yast2-pkg-bindings-devel-doc-3.2.4-2.3.1
SUSE Linux Enterprise Server 12-SP3 (src):    libzypp-16.15.3-2.3.1, yast2-pkg-bindings-3.2.4-2.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    libzypp-16.15.3-2.3.1, yast2-pkg-bindings-3.2.4-2.3.1
Comment 14 Swamp Workflow Management 2017-09-02 16:10:13 UTC 
openSUSE-SU-2017:2335-1: An update that solves three vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1009745,1036659,1038984,1043218,1045735,1046417,1047785,1048315
CVE References: CVE-2017-7435,CVE-2017-7436,CVE-2017-9269
Sources used:
openSUSE Leap 42.3 (src):    libzypp-16.15.3-9.1, yast2-pkg-bindings-3.2.4-4.1, yast2-pkg-bindings-devel-doc-3.2.4-4.1
Comment 15 Swamp Workflow Management 2017-09-14 19:15:19 UTC 
SUSE-SU-2017:2470-1: An update that solves 18 vulnerabilities and has 46 fixes is now available.

Category: security (important)
Bug References: 1004995,1009745,1014471,1017420,1019637,1026825,1027079,1027688,1027908,1028281,1028723,1029523,1031756,1032706,1033236,1035062,1036659,1038132,1038444,1038984,1042392,1043218,1043333,1044095,1044107,1044175,1044840,1045384,1045735,1045987,1046268,1046417,1046659,1046853,1046858,1047008,1047236,1047240,1047310,1047379,1047785,1047964,1047965,1048315,1048483,1048605,1048679,1048715,1049344,1050396,1050484,1051626,1051643,1051644,1052030,1052759,1053409,874665,902364,938657,944903,954661,960820,963041
CVE References: CVE-2013-7459,CVE-2016-9063,CVE-2017-1000100,CVE-2017-1000101,CVE-2017-10684,CVE-2017-10685,CVE-2017-11112,CVE-2017-11113,CVE-2017-3308,CVE-2017-3309,CVE-2017-3453,CVE-2017-3456,CVE-2017-3464,CVE-2017-7435,CVE-2017-7436,CVE-2017-8872,CVE-2017-9233,CVE-2017-9269
Sources used:
SUSE Container as a Service Platform ALL (src):    caasp-container-manifests-0.0.0+git_r155_93e40ab-2.3.3, container-feeder-0.0.0+20170901.git_r55_17ecbd3-2.3.3, sles12-mariadb-docker-image-1.1.0-2.3.10, sles12-pause-docker-image-1.1.0-2.3.11, sles12-pv-recycler-node-docker-image-1.1.0-2.3.10, sles12-salt-api-docker-image-1.1.0-2.3.9, sles12-salt-master-docker-image-1.1.0-4.3.10, sles12-salt-minion-docker-image-1.1.0-2.3.8, sles12-velum-docker-image-1.1.0-4.3.9
Comment 16 Swamp Workflow Management 2017-10-27 01:10:00 UTC 
SUSE-SU-2017:2861-1: An update that solves three vulnerabilities and has 22 fixes is now available.

Category: security (moderate)
Bug References: 1005063,1008325,1009269,1012523,1025176,1028485,1032680,1036659,1042781,1045628,1045735,1050767,1050943,1054028,1054088,1054671,1055920,1056995,1060653,1061876,1063824,903543,978055,998893,999878
CVE References: CVE-2017-1000254,CVE-2017-1000257,CVE-2017-11462
Sources used:
SUSE Container as a Service Platform ALL (src):    sles12-mariadb-docker-image-1.1.0-2.5.19, sles12-pause-docker-image-1.1.0-2.5.21, sles12-pv-recycler-node-docker-image-1.1.0-2.5.19, sles12-salt-api-docker-image-1.1.0-2.5.19, sles12-salt-master-docker-image-1.1.0-4.5.18, sles12-salt-minion-docker-image-1.1.0-2.5.18, sles12-velum-docker-image-1.1.0-4.5.18
Comment 20 Swamp Workflow Management 2018-01-18 23:08:58 UTC 
SUSE-RU-2018:0138-1: An update that has 7 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1008325,1036659,1043218,1064999,1068708,1071466,969569
CVE References: 
Sources used:
SUSE OpenStack Cloud 6 (src):    libzypp-15.25.6-46.9.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    libzypp-15.25.6-46.9.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    libzypp-15.25.6-46.9.1
Comment 21 Swamp Workflow Management 2018-05-16 19:08:02 UTC 
SUSE-RU-2018:1307-1: An update that has 10 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1008325,1033236,1036659,1038132,1043218,1068708,1074687,1076415,1079334,637791
CVE References: 
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    libzypp-14.45.10-2.73.1, zypper-1.11.66-2.64.1