Where does zypper install the repository or package signing keys?
On the openSuSE forums, user Robi Listas gave the start of an answer which I finished. Here is the summary:
Zypper does not expose the location of the keys, but the repository key files on openSuSE are in /var/cache/zypp/raw/*/repodata
where *
is the alias name of a repository from the list you can get through zypper repos
.
I wrote a small bash repomd_test.sh script based on a script by Tojaj that you can call like this for each repodata
directory:
for d in /var/cache/zypp/raw/*/repodata; do ~/repomd_test.sh $d; done
Each of those directories has three files:
-
repomd.xml
signed repository file (this is XML) -
repomd.xml.asc
ASCII "armor" signature ofrepomd.xml
-
repomd.xml.key
ASCII public key used to create therepomd.xml.asc
signature
The script creates a temporary keyring directory for GnuPG.
Then for the repodata, it adds the repomd.xml.key
to the keyring, then verifies that the repomd.xml
indeed corresponds to the repomd.xml.asc
signature and prints the fingerprint and meta information (like expiration).
Related videos on Youtube
Push
Updated on September 18, 2022Comments
-
Push over 1 year
I've two almost identical openSuSE 12.3 virtual machines,
snip
andsnap
.While updating them today, one asked to confirm a new
repository or package signing key
, the other didn't.I want to make really sure I didn't do anything wrong (just in case one of them got compromised in one way or the other), especially since the system not asking for the key indicates all repositories are up to date.
So:
- Where does zypper install these keys?
- How can I list the installed keys?
- How can I verify these keys are indeed valid?
System asking to trust the key:
snap:/home/jeroenp # zypper repos -d # | Alias | Name | Enabled | Refresh | Priority | Type | URI | Service ---+---------------------------+------------------------------------+---------+---------+----------+--------+-------------------------------------------------------------------------------------------------+-------- 1 | Security_-_openSUSE_12.3 | Security - openSUSE 12.3 | Yes | Yes | 99 | rpm-md | http://download.opensuse.org/repositories/security/openSUSE_12.3/ | 2 | openSUSE-12.3-1.6 | openSUSE-12.3-1.6 | Yes | No | 99 | yast2 | cd:///?devices=/dev/disk/by-id/ata-VMware_Virtual_IDE_CDROM_Drive_10000000000000000001,/dev/sr0 | 3 | repo-debug | openSUSE-12.3-Debug | No | Yes | 99 | NONE | http://download.opensuse.org/debug/distribution/12.3/repo/oss/ | 4 | repo-debug-update | openSUSE-12.3-Update-Debug | No | Yes | 99 | NONE | http://download.opensuse.org/debug/update/12.3/ | 5 | repo-debug-update-non-oss | openSUSE-12.3-Update-Debug-Non-Oss | No | Yes | 99 | NONE | http://download.opensuse.org/debug/update/12.3-non-oss/ | 6 | repo-non-oss | openSUSE-12.3-Non-Oss | Yes | Yes | 99 | yast2 | http://download.opensuse.org/distribution/12.3/repo/non-oss/ | 7 | repo-oss | openSUSE-12.3-Oss | Yes | Yes | 99 | yast2 | http://download.opensuse.org/distribution/12.3/repo/oss/ | 8 | repo-source | openSUSE-12.3-Source | No | Yes | 99 | NONE | http://download.opensuse.org/source/distribution/12.3/repo/oss/ | 9 | repo-update | openSUSE-12.3-Update | Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/12.3/ | 10 | repo-update-non-oss | openSUSE-12.3-Update-Non-Oss | Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/12.3-non-oss/ | snap:/home/jeroenp # zypper update Retrieving repository 'Security - openSUSE 12.3' metadata ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[\] New repository or package signing key received: Key ID: 69D1B2AAEE3D166A Key Name: security OBS Project <[email protected]> Key Fingerprint: AAF3EB044C49C402A9E7B9AE69D1B2AAEE3D166A Key Created: Mon May 26 11:04:43 2014 Key Expires: Wed Aug 3 11:04:42 2016 Repository: Security - openSUSE 12.3 Do you want to reject the key, trust temporarily, or trust always? [r/t/a/? shows all options] (r): ^Csnap:/home/jeroenp # ^C snap:/home/jeroenp #
System not asking to trust the key:
snip:/home/jeroenp # zypper repos -d # | Alias | Name | Enabled | Refresh | Priority | Type | URI | Service ---+---------------------------+------------------------------------+---------+---------+----------+--------+-------------------------------------------------------------------------------------------------+-------- 1 | Security_-_openSUSE_12.3 | Security - openSUSE 12.3 | Yes | Yes | 99 | rpm-md | http://download.opensuse.org/repositories/security/openSUSE_12.3/ | 2 | openSUSE-12.3-1.6 | openSUSE-12.3-1.6 | Yes | No | 99 | yast2 | cd:///?devices=/dev/disk/by-id/ata-VMware_Virtual_IDE_CDROM_Drive_10000000000000000001,/dev/sr0 | 3 | repo-debug | openSUSE-12.3-Debug | No | Yes | 99 | NONE | http://download.opensuse.org/debug/distribution/12.3/repo/oss/ | 4 | repo-debug-update | openSUSE-12.3-Update-Debug | No | Yes | 99 | NONE | http://download.opensuse.org/debug/update/12.3/ | 5 | repo-debug-update-non-oss | openSUSE-12.3-Update-Debug-Non-Oss | No | Yes | 99 | NONE | http://download.opensuse.org/debug/update/12.3-non-oss/ | 6 | repo-non-oss | openSUSE-12.3-Non-Oss | Yes | Yes | 99 | yast2 | http://download.opensuse.org/distribution/12.3/repo/non-oss/ | 7 | repo-oss | openSUSE-12.3-Oss | Yes | Yes | 99 | yast2 | http://download.opensuse.org/distribution/12.3/repo/oss/ | 8 | repo-source | openSUSE-12.3-Source | No | Yes | 99 | NONE | http://download.opensuse.org/source/distribution/12.3/repo/oss/ | 9 | repo-update | openSUSE-12.3-Update | Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/12.3/ | 10 | repo-update-non-oss | openSUSE-12.3-Update-Non-Oss | Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/12.3-non-oss/ | snip:/home/jeroenp # zypper update Loading repository data... Reading installed packages... The following package update will NOT be installed: libudev0 Nothing to do. snip:/home/jeroenp # snip:/home/jeroenp # zypper refreshRepository 'Security - openSUSE 12.3' is up to date. Repository 'openSUSE-12.3-1.6' is up to date. Repository 'openSUSE-12.3-Non-Oss' is up to date. Repository 'openSUSE-12.3-Oss' is up to date. Repository 'openSUSE-12.3-Update' is up to date. Repository 'openSUSE-12.3-Update-Non-Oss' is up to date. All repositories have been refreshed. snip:/home/jeroenp #