Bug 1217056

Summary: [Build 34.1] Installation with system role Common Criteria broken by Unknown GnuPG key
Product: [openSUSE] PUBLIC SUSE Linux Enterprise Server 15 SP6 Reporter: Joaquín Rivera <jeriveramoya>
Component: SecurityAssignee: Security Team bot <security-team>
Status: VERIFIED FIXED QA Contact:
Severity: Major    
Priority: P1 - Urgent CC: guido.colangiuli, jan.stehlik, leli, meissner, rtsvetkov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://openqa.suse.de/tests/12774019/modules/start_install/steps/4
Whiteboard: FIPS
Found By: openQA Services Priority:
Business Priority: Blocker: Yes
Marketing QA Status: --- IT Deployment: ---
Attachments: Logs cc installation

Description Joaquín Rivera 2023-11-13 06:54:23 UTC 
Created attachment 870715 [details]
Logs cc installation

openQA test in scenario sle-15-SP6-Online-x86_64-create_hdd_textmode_common_criteria@64bit fails in
[start_install](https://openqa.suse.de/tests/12774019/modules/start_install/steps/4) which now is beta candidate.

Common Criteria installation is broken apparently since one month ago, see last pass https://openqa.suse.de/tests/12409525.

See attached installation logs and please forward to component security or zypper if you can discard and installer problem.

Some extract from the logs:
```
2023-11-13 01:37:09 <3> install(3813) [zypp::gpg] KeyManager.cc(readSignaturesFprsOptVerify):213 Unable to read signature fingerprints
2023-11-13 01:37:09 <1> install(3813) [zypp::KeyRing] KeyRing.cc(_verifyFileSignatureWorkflow):678 File [/var/adm/mount/AP_0xp0YDEu/CHECKSUMS] ( CHECKSUMS ) signed with unknown key []
2023-11-13 01:37:09 <3> install(3813) [Pkg] Source_Misc.cc(logFindRepository):68 Cannot find source with ID: -1
2023-11-13 01:37:09 <1> install(3813) [Ruby] modules/SignatureCheckDialogs.rb(ItemSignedWithUnknownSignature):475 Ops.get called on nil.
2023-11-13 01:37:09 <0> install(3813) [Ruby] binary/Yast.cc(ycp_module_call_ycp_function):351 Dynamic Proxy: [UI::OpenDialog] with [6] params
2023-11-13 01:37:09 <0> install(3813) [Ruby] binary/Yast.cc(ycp_module_call_ycp_function):360 Namespace created from UI
2023-11-13 01:37:09 <0> install(3813) [ui] YUINamespace.cc(createFunctionCall):1045 overloaded OpenDialog, 2@12
2023-11-13 01:37:09 <0> install(3813) [Ruby] binary/Yast.cc(ycp_module_call_ycp_function):395 Call OpenDialog
2023-11-13 01:37:09 <0> install(3813) [Ruby] binary/Yast.cc(ycp_module_call_ycp_function):401 Append parameter `opt (`decorated)
2023-11-13 01:37:09 <0> install(3813) [Ruby] binary/Yast.cc(ycp_module_call_ycp_function):401 Append parameter `VBox (`Heading ("Unknown GnuPG Key"), `MarginBox (0.5, 0.5, `Label ("The file CHECKSUMS\nis digitally signed with the following unknown GnuPG key: \nID: .\n\nThis means that a trust relationship to the creator of the file\ncannot be established. Using the file may put the integrity\nof your system at risk.\n\nUse it anyway?")), `Left (`MarginBox (0, 1.2, `CheckBox (`id (`dont_show_again), "Do Not Show This Message &Again", false))), `ButtonBox (`PushButton (`id (`yes), `opt (`okButton, `key_F10), "&Yes"), `PushButton (`id (`no), `opt (`default, `cancelButton, `key_F9), "&No")))
```
Comment 1 Joaquín Rivera 2023-11-13 06:58:04 UTC 
In aarch64 fails in similar fashion:
https://openqa.suse.de/tests/12773328#step/start_install/4
but in s390x points to apparmor:
https://openqa.suse.de/tests/12773399#step/await_install/81
Comment 2 Stefan Hundhammer 2023-11-13 08:33:34 UTC 
Why would this be a problem of the installer? We do not sign those repos, we are only telling the user if the signing key does not match the content.
Comment 3 Joaquín Rivera 2023-11-13 08:35:12 UTC 
I suspected that, thanks for the checking, let's move component to Security then.
Comment 4 Stefan Hundhammer 2023-11-13 09:47:32 UTC 
*** Bug 1216809 has been marked as a duplicate of this bug. ***
Comment 5 Joaquín Rivera 2023-11-13 09:51:49 UTC 
According to Marcus Meissner, it might be the same issue than https://bugzilla.suse.com/show_bug.cgi?id=1217058, but not 100 % clear atm.
Comment 6 Marcus Meissner 2023-11-27 16:24:27 UTC 
fixed if I read openqa correctly.
Comment 7 Joaquín Rivera 2023-11-28 05:45:14 UTC 
Verified fixed:
https://openqa.suse.de/tests/12894634