Bug 1056923

Summary: zypper/rpm cannot verify chrome repo with subkeys
Product: [openSUSE] openSUSE Tumbleweed Reporter: Bernhard Wiedemann <bwiedemann>
Component: libzyppAssignee: E-mail List <zypp-maintainers>
Status: RESOLVED DUPLICATE QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: forgotten_8V0iXRzE4M, mls
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: openSUSE 13.2   
Whiteboard:
Found By: Development Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Bernhard Wiedemann 2017-09-01 20:01:33 UTC 
Steps To Reproduce:
zypper ar http://dl.google.com/linux/chrome/rpm/stable/x86_64 google-chrome
zypper ref
File 'repomd.xml' from repository 'google-chrome' is signed with an unknown key '1397BC53640DB551'. Continue? [yes/no] (no): 

gpg --recv-key 0x1397BC53640DB551
gpg --export -a 0x1397BC53640DB551 > linux_signing_key.pub
rpmkeys --import linux_signing_key.pub
# rpm -qa|grep pubkey
gpg-pubkey-7fac5991-4615767f
gpg-pubkey-3dbdc284-53674dd4
gpg-pubkey-c862b42c-57a2e70b
gpg-pubkey-d38b4796-570c8cd3
gpg-pubkey-1abd1afb-54176598
gpg-pubkey-307e3d54-4be01a65

so rpm only knows about the main pubkey but not about the subkeys
and thus zypper ref still cannot verify the repo

# gpg --edit-key 0x1397BC53640DB551
gpg (GnuPG) 2.1.22; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa4096/7721F63BD38B4796
     created: 2016-04-12  expires: never       usage: SC  
     trust: unknown       validity: unknown
sub  rsa4096/1397BC53640DB551
     created: 2016-04-12  expires: 2019-04-12  usage: S   
sub  rsa4096/6494C6D6997C215E
     created: 2017-01-24  expires: 2020-01-24  usage: S  

was also reported at
https://forums.opensuse.org/showthread.php/526158-sudden-google-chrome-is-signed-with-an-unknown-key-problem
and I guess it will re-occur every year when google rotates its signing key
Comment 1 Bernhard Wiedemann 2017-09-01 20:08:00 UTC 
Also, key and signature are correct:
wget http://dl.google.com/linux/chrome/rpm/stable/x86_64/repodata\
/repomd.xml{,.asc}
gpg -d repomd.xml.asc 
gpg: assuming signed data in 'repomd.xml'
gpg: Signature made 2017-08-30T17:36:13 UTC
gpg:                using RSA key 1397BC53640DB551
gpg: Good signature from "Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796
     Subkey fingerprint: 3B06 8FB4 789A BE4A EFA3  BB49 1397 BC53 640D B551
Comment 2 Michael Andres 2017-09-04 07:43:06 UTC 
.

*** This bug has been marked as a duplicate of bug 1008325 ***