I've two almost identical openSuSE 12.3 virtual machines, snip
and snap
.
While updating them today, one asked to confirm a new repository or package signing key
, the other didn't.
I want to make really sure I didn't do anything wrong (just in case one of them got compromised in one way or the other), especially since the system not asking for the key indicates all repositories are up to date.
So:
- Where does zypper install these keys?
- How can I list the installed keys?
- How can I verify these keys are indeed valid?
System asking to trust the key:
snap:/home/jeroenp # zypper repos -d
# | Alias | Name | Enabled | Refresh | Priority | Type | URI | Service
---+---------------------------+------------------------------------+---------+---------+----------+--------+-------------------------------------------------------------------------------------------------+--------
1 | Security_-_openSUSE_12.3 | Security - openSUSE 12.3 | Yes | Yes | 99 | rpm-md | http://download.opensuse.org/repositories/security/openSUSE_12.3/ |
2 | openSUSE-12.3-1.6 | openSUSE-12.3-1.6 | Yes | No | 99 | yast2 | cd:///?devices=/dev/disk/by-id/ata-VMware_Virtual_IDE_CDROM_Drive_10000000000000000001,/dev/sr0 |
3 | repo-debug | openSUSE-12.3-Debug | No | Yes | 99 | NONE | http://download.opensuse.org/debug/distribution/12.3/repo/oss/ |
4 | repo-debug-update | openSUSE-12.3-Update-Debug | No | Yes | 99 | NONE | http://download.opensuse.org/debug/update/12.3/ |
5 | repo-debug-update-non-oss | openSUSE-12.3-Update-Debug-Non-Oss | No | Yes | 99 | NONE | http://download.opensuse.org/debug/update/12.3-non-oss/ |
6 | repo-non-oss | openSUSE-12.3-Non-Oss | Yes | Yes | 99 | yast2 | http://download.opensuse.org/distribution/12.3/repo/non-oss/ |
7 | repo-oss | openSUSE-12.3-Oss | Yes | Yes | 99 | yast2 | http://download.opensuse.org/distribution/12.3/repo/oss/ |
8 | repo-source | openSUSE-12.3-Source | No | Yes | 99 | NONE | http://download.opensuse.org/source/distribution/12.3/repo/oss/ |
9 | repo-update | openSUSE-12.3-Update | Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/12.3/ |
10 | repo-update-non-oss | openSUSE-12.3-Update-Non-Oss | Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/12.3-non-oss/ |
snap:/home/jeroenp # zypper update
Retrieving repository 'Security - openSUSE 12.3' metadata ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[\]
New repository or package signing key received:
Key ID: 69D1B2AAEE3D166A
Key Name: security OBS Project <security@build.opensuse.org>
Key Fingerprint: AAF3EB044C49C402A9E7B9AE69D1B2AAEE3D166A
Key Created: Mon May 26 11:04:43 2014
Key Expires: Wed Aug 3 11:04:42 2016
Repository: Security - openSUSE 12.3
Do you want to reject the key, trust temporarily, or trust always? [r/t/a/? shows all options] (r): ^Csnap:/home/jeroenp # ^C
snap:/home/jeroenp #
System not asking to trust the key:
snip:/home/jeroenp # zypper repos -d
# | Alias | Name | Enabled | Refresh | Priority | Type | URI | Service
---+---------------------------+------------------------------------+---------+---------+----------+--------+-------------------------------------------------------------------------------------------------+--------
1 | Security_-_openSUSE_12.3 | Security - openSUSE 12.3 | Yes | Yes | 99 | rpm-md | http://download.opensuse.org/repositories/security/openSUSE_12.3/ |
2 | openSUSE-12.3-1.6 | openSUSE-12.3-1.6 | Yes | No | 99 | yast2 | cd:///?devices=/dev/disk/by-id/ata-VMware_Virtual_IDE_CDROM_Drive_10000000000000000001,/dev/sr0 |
3 | repo-debug | openSUSE-12.3-Debug | No | Yes | 99 | NONE | http://download.opensuse.org/debug/distribution/12.3/repo/oss/ |
4 | repo-debug-update | openSUSE-12.3-Update-Debug | No | Yes | 99 | NONE | http://download.opensuse.org/debug/update/12.3/ |
5 | repo-debug-update-non-oss | openSUSE-12.3-Update-Debug-Non-Oss | No | Yes | 99 | NONE | http://download.opensuse.org/debug/update/12.3-non-oss/ |
6 | repo-non-oss | openSUSE-12.3-Non-Oss | Yes | Yes | 99 | yast2 | http://download.opensuse.org/distribution/12.3/repo/non-oss/ |
7 | repo-oss | openSUSE-12.3-Oss | Yes | Yes | 99 | yast2 | http://download.opensuse.org/distribution/12.3/repo/oss/ |
8 | repo-source | openSUSE-12.3-Source | No | Yes | 99 | NONE | http://download.opensuse.org/source/distribution/12.3/repo/oss/ |
9 | repo-update | openSUSE-12.3-Update | Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/12.3/ |
10 | repo-update-non-oss | openSUSE-12.3-Update-Non-Oss | Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/12.3-non-oss/ |
snip:/home/jeroenp # zypper update
Loading repository data...
Reading installed packages...
The following package update will NOT be installed:
libudev0
Nothing to do.
snip:/home/jeroenp # snip:/home/jeroenp # zypper refreshRepository 'Security - openSUSE 12.3' is up to date.
Repository 'openSUSE-12.3-1.6' is up to date.
Repository 'openSUSE-12.3-Non-Oss' is up to date.
Repository 'openSUSE-12.3-Oss' is up to date.
Repository 'openSUSE-12.3-Update' is up to date.
Repository 'openSUSE-12.3-Update-Non-Oss' is up to date.
All repositories have been refreshed.
snip:/home/jeroenp #
Best Answer
On the openSuSE forums, user Robi Listas gave the start of an answer which I finished. Here is the summary:
Zypper does not expose the location of the keys, but the repository key files on openSuSE are in
/var/cache/zypp/raw/*/repodata
where*
is the alias name of a repository from the list you can get throughzypper repos
.I wrote a small bash repomd_test.sh script based on a script by Tojaj that you can call like this for each
repodata
directory:Each of those directories has three files:
repomd.xml
signed repository file (this is XML)repomd.xml.asc
ASCII "armor" signature ofrepomd.xml
repomd.xml.key
ASCII public key used to create therepomd.xml.asc
signatureThe script creates a temporary keyring directory for GnuPG.
Then for the repodata, it adds the
repomd.xml.key
to the keyring, then verifies that therepomd.xml
indeed corresponds to therepomd.xml.asc
signature and prints the fingerprint and meta information (like expiration).