Bug 954274

Summary: libzypp does not offer key acceptance import on RPM based signatures (flash-plugin fails integrity check on download)
Product: [openSUSE] openSUSE Tumbleweed Reporter: Forgotten User xs3PtXj4XH <forgotten_xs3PtXj4XH>
Component: libzyppAssignee: E-mail List <zypp-maintainers>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Enhancement    
Priority: P4 - Low CC: bzeller, chcao, meissner, ncutler
Version: Current   
Target Milestone: ---   
Hardware: x86-64   
OS: openSUSE 42.1   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Forgotten User xs3PtXj4XH 2015-11-09 15:06:59 UTC 
Trying to install the flash plugin for firefox through YaST gives the error message at the end of the download process that an integrity check failed for the package. Either the download is corrupt, or the checksum is wrong I suspect.
Comment 1 Marcus Meissner 2015-11-09 21:08:14 UTC 
we are not shipping the flash plugin with leap.

You will need to import the adobe key if you use adobes reposiutory
Comment 3 Forgotten User xs3PtXj4XH 2015-11-11 10:51:57 UTC 
OK, it looks like when I added the Adobe repository, I was not given the option to trust the signing key like I was with Nvidia and Packman repos. Is there any reason this did not occur? Is it deliberate that I have to find and manually import the GPG key for the repo?
Comment 4 Marcus Meissner 2015-11-11 11:00:03 UTC 
The problem is that the repository is not signed.

The rpms are signed.

libzypp currently does not handle this case with a feedback question.


Michael, this http://linuxdownload.adobe.com/linux/x86_64/


We should probably do an import there somehow, not sure if it is possible.
Comment 5 Michael Andres 2015-11-11 12:14:55 UTC 
(In reply to Marcus Meissner from comment #4)
> Michael, this http://linuxdownload.adobe.com/linux/x86_64/
  You don't have permission to access /linux/x86_64/ on this server.

We currently just offer to import the key that is used to sign the metadata.

No matter if the repo matadata are signed or not, we'd need a way to offer additional keys used to sign packages in the repo. Where shall those keys come from?


The susetags content-file has a KEY section, and we at least download the gpg-pubkeys listed there. Rpmmds repomd.xml by now has nothing like this; we'd need a similar section for additional keys to download. If we have a way to make those keys available on a system, we could make zypper ask whether to import those additional keys as well.
Comment 6 Nathan Cutler 2017-08-11 21:42:29 UTC 
Comment 5 sounds like this is WONTFIX, so closing accordingly. Reopen against a supported version of openSUSE to keep the bug alive.
Comment 7 Michael Andres 2017-08-14 12:07:14 UTC 
No comment#5 says it's not yet solved.
Comment 8 Benjamin Zeller 2019-01-28 16:31:28 UTC 
This was already fixed, we now support the gpgkey field in repo files, which can be used to specify signing keys.