Bug 406922

Summary:	zypper ref - key signature error - untrusted packages keys whatsoever - zypper unreliable?
Product:	[openSUSE] openSUSE 11.0	Reporter:	andreas bittner <abittner>
Component:	Update Problems	Assignee:	Gabriele Mohr <gs>
Status:	RESOLVED DUPLICATE	QA Contact:	Jiri Srain <jsrain>
Severity:	Normal
Priority:	P5 - None	CC:	zypp-maintainers
Version:	Final
Target Milestone:	---
Hardware:	i386
OS:	openSUSE 11.0
Whiteboard:
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description andreas bittner 2008-07-07 20:09:38 UTC

hi there,

just did:

------
# zypper ref
Repository 'openSUSE-11.0-Oss' is up to date.
Signature verification failed for content with public key id A84EDAE89C800ACA, S                                                                                    uSE Package Signing Key <build@suse.de>, fingerprint 79C179B2E1C820C1890F9994A84                                                                                    EDAE89C800ACA.
Warning: This might be caused by a malicious change in the file!
Continuing is risky! Continue anyway? [yes/NO]:
-----------

whats happening? somebody set us up the bomb? :/
zypper ref should be much more reliable. dont know what happened. several times retrying "zypper ref" has "solved" (?) this issue. i dont know if my system is clean and receiving all the updates/patches it should.

any logfiles or stuff needed?
thanks for any help.

Comment 1 Jan Kupec 2008-07-08 14:37:07 UTC

Hi, this could be bug 401259, please try to apply updates (zypper lu should show you "Updates for 11.0|libzypp|53|recommended|Needed".

If the bug stays, attach /var/log/zypper.log. This message means some of the signed repository files did not check out. So it's either a bug in PGP key handling or a corrupt repository.

Comment 2 andreas bittner 2008-07-08 18:58:04 UTC

i really dont get this whole zypper system and apparently there seems to be something wrong with yast2 online_update module too:

zypper ref
zypper pchk

tells me:

# zypper ref
Repository 'openSUSE-11.0-Oss' is up to date.
Repository 'openSUSE-11.0-Non-Oss' is up to date.
Repository 'openSUSE-11.0-Updates' is up to date.
All repositories have been refreshed.
# zypper pchk
Reading installed packages...
1 patch needed (1 security patch)

but "yast online_update" comes up with an empty screen:
only when selecting the filter all patches, it tells me about a kernel update with "+" sign infront of it.

filter: needed patches is completely empty :(
filter: unneeded patches is displaying a lot of patches with the smiley ":-)"
and the "a+ kernel Linux Kernel update"

------------
Patch Download and Installation
Progress
Retrieving kernel-source...
Downloading delta RPM ./rpm/i586/kernel-source-2.6.25.5_2.6.25.9-1.1_0.2.i586.delta.rpm OK
Applying delta RPM: /var/cache/zypp/packages/openSUSE-11.0-Updates/rpm/i586/kernel-source-2.6.25.5_2.6.25 ~.9-1.1_0.2.i586.delta.rpm OK Installing ./rpm/i586/kernel-source-2.6.25.9-0.2.i586.rpm: "The Linux Kernel Sources"
Retrieving kernel-pae...Downloading delta RPM ./rpm/i586/kernel-pae-2.6.25.5_2.6.25.9-1.1_0.2.i586.delta.rpm
Applying delta RPM: /var/cache/zypp/packages/openSUSE-11.0-Updates/rpm/i586/kernel-pae-2.6.25.5_2.6.25.9-1.1_0.2.i586.delta.rpm OK
Installing ./rpm/i586/kernel-pae-2.6.25.9-0.2.i586.rpm: "Kernel with PAE Support" OK
--------------

this is very irritating.
even if i stay in the empty "needed patches" screen and select "accept" it starts to work on the kernel update, even though for the normal sane user it would mean that there is nothing to do.

if i remember correctly, this has happened to me several times before on this opensuse 11.0 system. i was getting empty screens and though okay, theres nothing to do, and once accidentally selected accept instead of close or what the other option is, and was wondering why it was still working on patches.

i am really wondering if and when or why and why not the whole zypper front-end/backend(s) and the yast2 online_update module can be made really consistent and trustworthy and dependable.

it seems quite a mess at the moment. i used to use online_update in ncurses/textmode all the time in the past opensuse versions, but even this seems to be pretty unstable and misleading it seems.

Comment 3 Marcus Meissner 2008-07-08 20:29:49 UTC

the signature problem is unrelated to the empty patch screen.

a signature problem really only happens if something is not in sync... in these cases try zypper ref again after 10 minutes or so.

as for the empty screen, no idea

Comment 4 Michael Schröder 2008-07-09 12:43:45 UTC

The empty patch screen seems to be a bug in the ncurses view.

Comment 5 Michael Schröder 2008-07-09 12:45:27 UTC

Just use 'yast2 online_update' instead of 'yast online_update' to get the graphical view.

Comment 6 Jan Kupec 2008-07-09 14:06:54 UTC

so back to comment #1. Is this still happening after doing 'zypper up'?

Comment 7 andreas bittner 2008-07-09 14:16:30 UTC

my system seems to be okay at the moment:

how it probably started: normally i use "yast online_update" in simple ssh/textmode login (putty on windows for example).

online_update installed some patches even though that screen was empty. right after the online_update was finished, i was doing a zypper ref and that was the time when those corrupted signature errors occured.


at the moment it tells me:

# zypper pch
Reading installed packages...
Catalog               | Name               | Version | Category    | Status
----------------------+--------------------+---------+-------------+---------------
openSUSE-11.0-Updates | KDE4-fixes         | 38      | recommended | Installed
openSUSE-11.0-Updates | MozillaFirefox     | 50      | recommended | Installed
openSUSE-11.0-Updates | MozillaFirefox     | 70      | recommended | Installed
openSUSE-11.0-Updates | NetworkManager-kde | 49      | recommended | Installed
openSUSE-11.0-Updates | aaa_base           | 45      | recommended | Installed
openSUSE-11.0-Updates | apache2-mod_php5   | 61      | security    | Installed
openSUSE-11.0-Updates | autoyast2          | 37      | recommended | Installed
openSUSE-11.0-Updates | boost              | 58      | recommended | Installed
openSUSE-11.0-Updates | clamav             | 44      | security    | Not Applicable
openSUSE-11.0-Updates | compiz-kde4        | 59      | recommended | Installed
openSUSE-11.0-Updates | courier-authlib    | 42      | security    | Not Applicable
openSUSE-11.0-Updates | freetype2          | 41      | security    | Installed
openSUSE-11.0-Updates | geronimo           | 71      | recommended | Not Applicable
openSUSE-11.0-Updates | insserv            | 47      | recommended | Installed
openSUSE-11.0-Updates | kernel             | 67      | security    | Installed
openSUSE-11.0-Updates | libpng-devel       | 66      | security    | Installed
openSUSE-11.0-Updates | libpoppler-devel   | 77      | security    | Installed
openSUSE-11.0-Updates | libzypp            | 53      | recommended | Installed
openSUSE-11.0-Updates | licq               | 76      | recommended | Not Applicable
openSUSE-11.0-Updates | mercurial          | 75      | security    | Not Applicable
openSUSE-11.0-Updates | nautilus           | 52      | recommended | Installed
openSUSE-11.0-Updates | nspluginwrapper    | 56      | recommended | Installed
openSUSE-11.0-Updates | opera              | 43      | security    | Not Applicable
openSUSE-11.0-Updates | pcre               | 54      | security    | Installed
openSUSE-11.0-Updates | squid              | 69      | security    | Installed
openSUSE-11.0-Updates | storage-fixup      | 64      | optional    | Not Applicable
openSUSE-11.0-Updates | suspend            | 40      | recommended | Installed
openSUSE-11.0-Updates | timezone           | 46      | recommended | Installed
openSUSE-11.0-Updates | tomcat6            | 68      | security    | Not Applicable
openSUSE-11.0-Updates | vsftpd             | 39      | recommended | Installed
openSUSE-11.0-Updates | xorg-x11           | 65      | recommended | Installed
openSUSE-11.0-Updates | xorg-x11-Xvnc      | 36      | security    | Installed
openSUSE-11.0-Updates | yast2-gtk          | 62      | recommended | Not Applicable
openSUSE-11.0-Updates | yast2-qt-pkg       | 63      | recommended | Installed


--------------

how about this ncurses bug? is it correct to say that ncurses is the textmode (non-graphical, non-kde, non-gnome) way to use yast?

i most of the times only have text-mode access to certain opensuse systems. thats why i use "yast online_update".

if there is a bug in this text-mode display of yast showing empty screens even though there are applicable patches, then please fix that.

what i am wondering about is still, that you guys say that "yast" and "yast2" are different things, but this seems to differ from my experience:

content of /sbin/ tells me:
-------
lrwxrwxrwx  1 root root        5 Jun 19 21:54 zast2 -> yast2
lrwxrwxrwx  1 root root        5 Jun 19 21:54 zast -> yast2
lrwxrwxrwx  1 root root        5 Jun 19 21:54 yast -> yast2
lrwxrwxrwx  1 root root        5 Jun 19 21:54 ZaST2 -> yast2
lrwxrwxrwx  1 root root        5 Jun 19 21:54 ZaST -> yast2
lrwxrwxrwx  1 root root        5 Jun 19 21:54 YaST2 -> yast2
lrwxrwxrwx  1 root root        5 Jun 19 21:54 YaST -> yast2

-------

it all seems to the the same stuff. any mistakes here?
thanks.

Comment 8 Michael Schröder 2008-07-09 14:40:03 UTC

(It's the same binary, but it behaves different if it's called with different names. Same with /bin/sh which points to /bin/bash, but it puts the shell in posix mode)

Anyway reassigned to Gabi, CC Katarina, so that the ncurses bug gets fixed.

Comment 9 Katarina Machalkova 2008-07-09 14:55:56 UTC

If I understand this correctly, this ticket is about some patches not being visible in 'needed patches' filter in text-mode online update. 
That is known issue (thus, a duplicate) and will be fixed for 11.0 by releasing online update.

*** This bug has been marked as a duplicate of bug 405932 ***

Comment 10 andreas bittner 2008-07-09 15:26:46 UTC

yes thanks for the pointer to the other earlier bugreport.
cheers :)