Bug 977673

Summary: Two signature repomd.xml.asc signature verification failure
Product: [openSUSE] openSUSE Distribution Reporter: Jason Mader <jmader2>
Component: libzyppAssignee: E-mail List <zypp-maintainers>
Status: RESOLVED WONTFIX QA Contact: E-mail List <qa-bugs>
Severity: Minor    
Priority: P5 - None CC: mpluskal
Version: Leap 42.1   
Target Milestone: ---   
Hardware: x86-64   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Jason Mader 2016-04-28 14:35:18 UTC 
Encountered this on Google Chrome's latest repomd.xml.asc signature. There are now two keys signing the package, zypper has an issue with it.

$ gpg --verify repomd.xml.asc repomd.xml
gpg: Signature made Wed Apr 27 17:52:47 2016 EDT using DSA key ID 7FAC5991
gpg: Good signature from "Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4CCA 1EAF 950C EE4A B839  76DC A040 830F 7FAC 5991
gpg: Signature made Wed Apr 27 17:52:47 2016 EDT using RSA key ID 640DB551
gpg: Good signature from "Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796
     Subkey fingerprint: 3B06 8FB4 789A BE4A EFA3  BB49 1397 BC53 640D B551

rpmkeys already had DSA key ID 7FAC5991, but not the new RSA key ID 640DB551. It looks like Google signed 640DB551 with 7FAC5991. So on zypper refresh,

Retrieving repository 'google-chrome' metadata -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[\]
Signature verification failed for file 'repomd.xml' from repository 'google-chrome'.
Warning: This might be caused by a malicious change in the file!
Continuing might be risky. Continue anyway? [yes/no] (no): no
Comment 1 Tomáš Chvátal 2018-04-13 15:16:01 UTC 
This is automated batch bugzilla cleanup.

The openSUSE 42.1 changed to end-of-life (EOL [1]) status. As such
it is no longer maintained, which means that it will not receive any
further security or bug fix updates.
As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
openSUSE, or you can still observe it under openSUSE Leap 15.0, please
feel free to reopen this bug against that version (see the "Version"
component in the bug fields), or alternatively open
a new ticket.

Thank you for reporting this bug and we are sorry it could not be fixed
during the lifetime of the release.

[1] https://en.opensuse.org/Lifetime