Where does zypper install the repository or package signing keys?
6,042
On the openSuSE forums, user Robi Listas gave the start of an answer which I finished. Here is the summary:
Zypper does not expose the location of the keys, but the repository key files on openSuSE are in /var/cache/zypp/raw/*/repodata where * is the alias name of a repository from the list you can get through zypper repos.
I wrote a small bash repomd_test.sh script based on a script by Tojaj that you can call like this for each repodata directory:
for d in /var/cache/zypp/raw/*/repodata; do ~/repomd_test.sh $d; done
Each of those directories has three files:
-
repomd.xmlsigned repository file (this is XML) -
repomd.xml.ascASCII "armor" signature ofrepomd.xml -
repomd.xml.keyASCII public key used to create therepomd.xml.ascsignature
The script creates a temporary keyring directory for GnuPG.
Then for the repodata, it adds the repomd.xml.key to the keyring, then verifies that the repomd.xml indeed corresponds to the repomd.xml.asc signature and prints the fingerprint and meta information (like expiration).
Related videos on Youtube
10 : 42
Using APT keys | GPG and Third Party Keys Explained
05 : 51
Linux : Managing Software Repositories With Zypper
04 : 55
How to add a repo using Zypper in Opensuse/SUSE
15 : 21
Zypper -Package Manager SUSE Linux
02 : 32
Unix & Linux: Where does zypper install the repository or package signing keys?
Author by
Push
Updated on September 18, 2022Comments
-
Push over 1 year
I've two almost identical openSuSE 12.3 virtual machines,
snipandsnap.While updating them today, one asked to confirm a new
repository or package signing key, the other didn't.I want to make really sure I didn't do anything wrong (just in case one of them got compromised in one way or the other), especially since the system not asking for the key indicates all repositories are up to date.
So:
- Where does zypper install these keys?
- How can I list the installed keys?
- How can I verify these keys are indeed valid?
System asking to trust the key:
snap:/home/jeroenp # zypper repos -d # | Alias | Name | Enabled | Refresh | Priority | Type | URI | Service ---+---------------------------+------------------------------------+---------+---------+----------+--------+-------------------------------------------------------------------------------------------------+-------- 1 | Security_-_openSUSE_12.3 | Security - openSUSE 12.3 | Yes | Yes | 99 | rpm-md | http://download.opensuse.org/repositories/security/openSUSE_12.3/ | 2 | openSUSE-12.3-1.6 | openSUSE-12.3-1.6 | Yes | No | 99 | yast2 | cd:///?devices=/dev/disk/by-id/ata-VMware_Virtual_IDE_CDROM_Drive_10000000000000000001,/dev/sr0 | 3 | repo-debug | openSUSE-12.3-Debug | No | Yes | 99 | NONE | http://download.opensuse.org/debug/distribution/12.3/repo/oss/ | 4 | repo-debug-update | openSUSE-12.3-Update-Debug | No | Yes | 99 | NONE | http://download.opensuse.org/debug/update/12.3/ | 5 | repo-debug-update-non-oss | openSUSE-12.3-Update-Debug-Non-Oss | No | Yes | 99 | NONE | http://download.opensuse.org/debug/update/12.3-non-oss/ | 6 | repo-non-oss | openSUSE-12.3-Non-Oss | Yes | Yes | 99 | yast2 | http://download.opensuse.org/distribution/12.3/repo/non-oss/ | 7 | repo-oss | openSUSE-12.3-Oss | Yes | Yes | 99 | yast2 | http://download.opensuse.org/distribution/12.3/repo/oss/ | 8 | repo-source | openSUSE-12.3-Source | No | Yes | 99 | NONE | http://download.opensuse.org/source/distribution/12.3/repo/oss/ | 9 | repo-update | openSUSE-12.3-Update | Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/12.3/ | 10 | repo-update-non-oss | openSUSE-12.3-Update-Non-Oss | Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/12.3-non-oss/ | snap:/home/jeroenp # zypper update Retrieving repository 'Security - openSUSE 12.3' metadata ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[\] New repository or package signing key received: Key ID: 69D1B2AAEE3D166A Key Name: security OBS Project <[email protected]> Key Fingerprint: AAF3EB044C49C402A9E7B9AE69D1B2AAEE3D166A Key Created: Mon May 26 11:04:43 2014 Key Expires: Wed Aug 3 11:04:42 2016 Repository: Security - openSUSE 12.3 Do you want to reject the key, trust temporarily, or trust always? [r/t/a/? shows all options] (r): ^Csnap:/home/jeroenp # ^C snap:/home/jeroenp #System not asking to trust the key:
snip:/home/jeroenp # zypper repos -d # | Alias | Name | Enabled | Refresh | Priority | Type | URI | Service ---+---------------------------+------------------------------------+---------+---------+----------+--------+-------------------------------------------------------------------------------------------------+-------- 1 | Security_-_openSUSE_12.3 | Security - openSUSE 12.3 | Yes | Yes | 99 | rpm-md | http://download.opensuse.org/repositories/security/openSUSE_12.3/ | 2 | openSUSE-12.3-1.6 | openSUSE-12.3-1.6 | Yes | No | 99 | yast2 | cd:///?devices=/dev/disk/by-id/ata-VMware_Virtual_IDE_CDROM_Drive_10000000000000000001,/dev/sr0 | 3 | repo-debug | openSUSE-12.3-Debug | No | Yes | 99 | NONE | http://download.opensuse.org/debug/distribution/12.3/repo/oss/ | 4 | repo-debug-update | openSUSE-12.3-Update-Debug | No | Yes | 99 | NONE | http://download.opensuse.org/debug/update/12.3/ | 5 | repo-debug-update-non-oss | openSUSE-12.3-Update-Debug-Non-Oss | No | Yes | 99 | NONE | http://download.opensuse.org/debug/update/12.3-non-oss/ | 6 | repo-non-oss | openSUSE-12.3-Non-Oss | Yes | Yes | 99 | yast2 | http://download.opensuse.org/distribution/12.3/repo/non-oss/ | 7 | repo-oss | openSUSE-12.3-Oss | Yes | Yes | 99 | yast2 | http://download.opensuse.org/distribution/12.3/repo/oss/ | 8 | repo-source | openSUSE-12.3-Source | No | Yes | 99 | NONE | http://download.opensuse.org/source/distribution/12.3/repo/oss/ | 9 | repo-update | openSUSE-12.3-Update | Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/12.3/ | 10 | repo-update-non-oss | openSUSE-12.3-Update-Non-Oss | Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/12.3-non-oss/ | snip:/home/jeroenp # zypper update Loading repository data... Reading installed packages... The following package update will NOT be installed: libudev0 Nothing to do. snip:/home/jeroenp # snip:/home/jeroenp # zypper refreshRepository 'Security - openSUSE 12.3' is up to date. Repository 'openSUSE-12.3-1.6' is up to date. Repository 'openSUSE-12.3-Non-Oss' is up to date. Repository 'openSUSE-12.3-Oss' is up to date. Repository 'openSUSE-12.3-Update' is up to date. Repository 'openSUSE-12.3-Update-Non-Oss' is up to date. All repositories have been refreshed. snip:/home/jeroenp #