[packman] digests SIGNATURES NOT OK

S. sb56637 at gmail.com
Sat Dec 18 18:40:59 CET 2021

On Mon Dec 13 09:48:43 CET 2021 Marc Schiffbauer wrote:
> > * Giacomo Comes schrieb am 12.12.21 um 03:44 Uhr:
> > I have more information about the key problem.
> > 
> > Some time ago the package rpm in opensuse was patched with
> > a pgp hardening changes from upstream (bsc#1185299)
> > This caused a problem with the current packman key.
> > However, the key itselt is not bad. It's just that
> > the rpm code before patching and the code after patching 
> > will consider the same key as different.
> > 
> > The solution for me was to delete the packman key
> > (rpm -e gpg-pubkey-1abd1afb-54176598) and then,
> > when asked, reimport the key.
> > 
> > After that, everything worked fine.

> Thanks for that! So I guess we could leave the current key in place.  
> Users just need to know the required steps.

I haven't been able to build new images based on openSUSE that include a config script to import the Packman key because it fails:
> :~> rpm --import /etc/zypp/repos.d/repomd.xml.key
> error: /etc/zypp/repos.d/repomd.xml.key: key 1 import failed.

The cause of the error is the updated version of rpm in Tumbleweed and Leap:
- https://1password.community/discussion/123891/rpm-gpg-key-is-not-accepted-by-new-rpm-versions
- https://github.com/rpm-software-management/rpm/commit/f22499a05d0a01e35dd10d7644f8d74391ba4222
- https://itectec.com/unixlinux/yum-in-amazon-linux-2-still-asks-for-gpg-key-even-after-rpm-import-when-adding-kubernetes-repo/

They talk there in those threads about updating the key to remove the critical bit but keeping the same key, but that's all over my head. I think something needs to be done about the Packman key, even if it means creating a new one.

More information about the Packman mailing list