Bug 1187224

Summary: installing 3rd party package shows only short keyid
Product: [openSUSE] openSUSE Distribution Reporter: Adam Majer <amajer>
Component: libzyppAssignee: E-mail List <zypp-maintainers>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P2 - High CC: bzeller, security-team
Version: Leap 15.2   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Adam Majer 2021-06-11 11:09:04 UTC 
When installing 3rd party package, like zoom client, Yast2 only shows,

Error: INVALID:zoom-5.6.22045.0607_openSUSE-1.x86_64 (file-7df0530c): Signature verification failed [4-Signatures public key is not available]
    Header V4 RSA/SHA1 Signature, key ID 61a7c71d: NOKEY
    Header SHA1 digest: OK
    MD5 digest: OK

On the zoom website,

https://zoom.us/download

*
Zoom's rpm packages are signed with a GPG key. Please run "rpm --import package-signing-key.pub" to import the key in case package management utility asks for a missing public key.
Download Public Key

Key fingerprint: 3960 60CA DD8A 7522 0BFC B369 B903 BF18 61A7 C71D


Since it's been shown long time ago that 32bit keyids are completely insecure, it would be beneficial to actually show the entire Key fingerprint in this window so end users can verify it manually.

The only way around it is to import the signing key.
Comment 1 Ladislav Slezák 2021-06-11 14:53:31 UTC 
That error message is completely generated by libzypp, YaST only displays it. I guess "zypper" is also affected.

Reassigning to the libzypp team.
Comment 2 Michael Andres 2021-06-29 09:44:09 UTC 
(In reply to Adam Majer from comment #0)
> When installing 3rd party package, like zoom client, Yast2 only shows,
> 
> Error: INVALID:zoom-5.6.22045.0607_openSUSE-1.x86_64 (file-7df0530c):
> Signature verification failed [4-Signatures public key is not available]
>     Header V4 RSA/SHA1 Signature, key ID 61a7c71d: NOKEY
>     Header SHA1 digest: OK
>     MD5 digest: OK
> Since it's been shown long time ago that 32bit keyids are completely
> insecure, it would be beneficial to actually show the entire Key fingerprint
> in this window so end users can verify it manually.


Actually it's the output of rpm's package signature verification. 
rpm just prints the short ID:

> # rpm -K -v pam-config-1.1-lp152.1.5.x86_64.rpm
> pam-config-1.1-lp152.1.5.x86_64.rpm:
>     Header V3 RSA/SHA256 Signature, key ID 3dbdc284: NOKEY
>     Header SHA1 digest: OK
>     Header SHA256 digest: OK
>     Payload SHA256 digest: OK
>     V3 RSA/SHA256 Signature, key ID 3dbdc284: NOKEY
>     MD5 digest: OK


We'll try to get the full fingerprint out of the package and replace it in the output then.
Comment 3 Benjamin Zeller 2021-07-22 08:18:09 UTC 
Libzypp >= 17.27.1 will show the long key IDs if they are available from the RPM headers.
Comment 4 Michael Andres 2021-07-22 08:24:48 UTC 
This should actually be fixed in rpm. But as long as rpm reports just the shortID, we get the signing keys longID out of the .rpm header and substitute it in the message. (full FPR is not available in the rpm)

Note that retrieving and reading the .rpm header is expensive, so we do this just in case of an error (missing Key, bad signature). If rpm successfully verified the signature, we leave the shortID in the report.
Comment 7 Swamp Workflow Management 2021-10-22 13:18:31 UTC 
openSUSE-RU-2021:3501-1: An update that has 15 recommended fixes and contains two features can now be installed.

Category: recommended (moderate)
Bug References: 1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190465,1190712,1190815
CVE References: 
JIRA References: ECO-2911,SLE-16862
Sources used:
openSUSE Leap 15.3 (src):    libsolv-0.7.20-9.2, libzypp-17.28.5-15.2, protobuf-3.9.2-4.9.1, zypper-1.14.49-16.1
Comment 8 Swamp Workflow Management 2021-10-22 13:23:24 UTC 
SUSE-RU-2021:3501-1: An update that has 15 recommended fixes and contains two features can now be installed.

Category: recommended (moderate)
Bug References: 1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190465,1190712,1190815
CVE References: 
JIRA References: ECO-2911,SLE-16862
Sources used:
SUSE MicroOS 5.1 (src):    libsolv-0.7.20-9.2, libzypp-17.28.5-15.2, protobuf-3.9.2-4.9.1, zypper-1.14.49-16.1
SUSE MicroOS 5.0 (src):    libsolv-0.7.20-9.2, libzypp-17.28.5-15.2, protobuf-3.9.2-4.9.1, zypper-1.14.49-16.1
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    protobuf-3.9.2-4.9.1
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    protobuf-3.9.2-4.9.1
SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src):    protobuf-3.9.2-4.9.1
SUSE Linux Enterprise Module for Public Cloud 15-SP2 (src):    protobuf-3.9.2-4.9.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    protobuf-3.9.2-4.9.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src):    protobuf-3.9.2-4.9.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    libsolv-0.7.20-9.2, protobuf-3.9.2-4.9.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    libsolv-0.7.20-9.2, protobuf-3.9.2-4.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    libsolv-0.7.20-9.2, libzypp-17.28.5-15.2, protobuf-3.9.2-4.9.1, zypper-1.14.49-16.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    libsolv-0.7.20-9.2, libzypp-17.28.5-15.2, protobuf-3.9.2-4.9.1, zypper-1.14.49-16.1
SUSE Linux Enterprise Installer 15-SP2 (src):    libsolv-0.7.20-9.2, libzypp-17.28.5-15.2, protobuf-3.9.2-4.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2021-11-24 02:22:09 UTC 
SUSE-RU-2021:3780-1: An update that has 31 recommended fixes and contains one feature can now be installed.

Category: recommended (moderate)
Bug References: 1153687,1182372,1183268,1183589,1184326,1184399,1184997,1185325,1186447,1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190356,1190465,1190712,1190815,1191286,1191324,1191370,1191609,1192337,1192436
CVE References: 
JIRA References: SLE-18858
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    libsolv-0.7.20-3.48.1, libzypp-17.28.8-3.78.1, zypper-1.14.50-3.60.1
SUSE Linux Enterprise Server 15-LTSS (src):    libsolv-0.7.20-3.48.1, libzypp-17.28.8-3.78.1, zypper-1.14.50-3.60.1
SUSE Linux Enterprise Installer 15 (src):    libsolv-0.7.20-3.48.1, libzypp-17.28.8-3.78.1, zypper-1.14.50-3.60.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    libsolv-0.7.20-3.48.1, libzypp-17.28.8-3.78.1, zypper-1.14.50-3.60.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    libsolv-0.7.20-3.48.1, libzypp-17.28.8-3.78.1, zypper-1.14.50-3.60.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2021-11-24 02:31:37 UTC 
SUSE-RU-2021:3781-1: An update that has 31 recommended fixes and contains one feature can now be installed.

Category: recommended (moderate)
Bug References: 1153687,1182372,1183268,1183589,1184326,1184399,1184997,1185325,1186447,1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190356,1190465,1190712,1190815,1191286,1191324,1191370,1191609,1192337,1192436
CVE References: 
JIRA References: SLE-18858
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    libsolv-0.7.20-4.3.1, libzypp-17.28.8-3.61.1, zypper-1.14.50-3.46.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    libsolv-0.7.20-4.3.1, libzypp-17.28.8-3.61.1, zypper-1.14.50-3.46.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    libsolv-0.7.20-4.3.1, libzypp-17.28.8-3.61.1, zypper-1.14.50-3.46.1
SUSE Linux Enterprise Installer 15-SP1 (src):    libsolv-0.7.20-4.3.1, libzypp-17.28.8-3.61.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    libsolv-0.7.20-4.3.1, libzypp-17.28.8-3.61.1, zypper-1.14.50-3.46.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    libsolv-0.7.20-4.3.1, libzypp-17.28.8-3.61.1, zypper-1.14.50-3.46.1
SUSE Enterprise Storage 6 (src):    libsolv-0.7.20-4.3.1, libzypp-17.28.8-3.61.1, zypper-1.14.50-3.46.1
SUSE CaaS Platform 4.0 (src):    libsolv-0.7.20-4.3.1, libzypp-17.28.8-3.61.1, zypper-1.14.50-3.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.