Bug 1224292

Summary: SUMA has a problem with an old key next to a new one in 15.6
Product: [openSUSE] openSUSE Distribution Reporter: Lubos Kocman <lubos.kocman>
Component: SecurityAssignee: Adrian Schröter <adrian.schroeter>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: lubos.kocman, mc, meissner, mlin
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Lubos Kocman 2024-05-15 11:40:26 UTC 
From Michael Calmer


there is a problem with the 15.6 repo metadata:
repomd.xml is signed, but not with the "repomd.xml.key"
$> gpg --keyid-format=long --show-keys --with-fingerprint repomd.xml.key
pub   rsa2048/B88B2FD43DBDC284 2008-11-07 [SC] [expired: 2024-05-02]
      Key fingerprint = 22C0 7BA5 3417 8CD0 2EFE  22AA B88B 2FD4 3DBD C284
uid                            openSUSE Project Signing Key <opensuse@opensuse.org>
$> gpg --verify repomd.xml.asc 
gpg: assuming signed data in 'repomd.xml'
gpg: Signature made Sat 11 May 2024 02:01:32 AM CEST
gpg:                using RSA key 35A2F86E29B700A4

I think we switched the key, but we still put the old key next to it?
Who can fix this? It break testing SUSE Manager and Uyuni
Comment 1 Marcus Meissner 2024-05-15 11:53:06 UTC 
yes, repomd.xml.key seems incorrect, (old one)
Adrian, the 15.6 and openSUSE:Backports:SLE15-SP6   need to have the newer keys we also used for 15.5 and 15-SP5
Comment 2 Adrian Schröter 2024-05-15 14:12:00 UTC 
hm, the key is configured, but the public key file was missing on our main backend.

Please try a rebuild for verification.
Comment 3 Max Lin 2024-05-16 07:36:15 UTC 
(In reply to Adrian Schröter from comment #2)
> hm, the key is configured, but the public key file was missing on our main
> backend.
> 
> Please try a rebuild for verification.

that is Build695.1 and Build696.2 FYI
Comment 4 Lubos Kocman 2024-05-16 10:59:27 UTC 
Michael can you please confirm that issue is fixed for your team?
Comment 5 Michael Calmer 2024-05-16 11:24:40 UTC 
I still get the old key.

$> curl -vvv -L -O https://download.opensuse.org/distribution/leap/15.6/repo/oss/repodata/repomd.xml.key
Connected to download.opensuse.org (2a07:de40:b250:131:10:151:131:30) port 443 (#0)
...
* SSL connection using TLSv1.3 / TLS_CHACHA20_POLY1305_SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=mirrorcache.opensuse.org
*  start date: Apr 22 00:21:12 2024 GMT
*  expire date: Jul 21 00:21:11 2024 GMT
*  subjectAltName: host "download.opensuse.org" matched cert's "download.opensuse.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
} [5 bytes data]
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /distribution/leap/15.6/repo/oss/repodata/repomd.xml.key]
* h2h3 [:scheme: https]
* h2h3 [:authority: download.opensuse.org]
* h2h3 [user-agent: curl/8.0.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x558cd07d77e0)
} [5 bytes data]
> GET /distribution/leap/15.6/repo/oss/repodata/repomd.xml.key HTTP/2
> Host: download.opensuse.org
> user-agent: curl/8.0.1
> accept: */*
...
< HTTP/2 200 
< date: Thu, 16 May 2024 11:20:56 GMT
< server: Mojolicious (Perl)
< cache-control: public, max-age=231
< content-disposition: inline;filename="repomd.xml.key"
< content-length: 988


Content Length of 988 is the length of the old key.
The new one should have more than 1024

It also does not look like it is using a mirror.
No idea what happens
Comment 6 Michael Calmer 2024-05-16 11:25:29 UTC 
Also the Web Page show the size of the old key
https://download.opensuse.org/distribution/leap/15.6/repo/oss/repodata/
Comment 7 Max Lin 2024-05-16 11:38:52 UTC 
(In reply to Lubos Kocman from comment #4)
> Michael can you please confirm that issue is fixed for your team?

we need to publish Build696.2(with newer repo metadata has uploaded to d.o.o) in case SUMA team be able to 
 verify it with SUSE manager or uyuni... without a publishing, the alternative options are autobuild might can verify it on build service, or do a verification on https://openqa.opensuse.org/assets/repo/openSUSE-Leap-15.6-oss-Build696.2 (the asset repo on openqa has newer repodata).
Comment 8 Max Lin 2024-05-16 11:45:23 UTC 
$ cat ../media.1/media 
openSUSE - openSUSE-Leap-15.6-x86_64-aarch64-ppc64le-s390x-Build696.2-Media
openSUSE-Leap-15.6-x86_64-aarch64-ppc64le-s390x-Build696.2
1
$ gpg --keyid-format=long --show-keys --with-fingerprint repomd.xml.key 
pub   rsa2048/B88B2FD43DBDC284 2008-11-07 [SC] [expired: 2024-05-02]
      Key fingerprint = 22C0 7BA5 3417 8CD0 2EFE  22AA B88B 2FD4 3DBD C284
uid                            openSUSE Project Signing Key <opensuse@opensuse.org>

$ gpg --verify repomd.xml.asc 
gpg: assuming signed data in 'repomd.xml'
gpg: Signature made Thu 16 May 2024 02:26:21 PM CST
gpg:                using RSA key 35A2F86E29B700A4
gpg: Can't check signature: No public key

this is what I get from Build696.2's asset repo on openqa, it has an old key still looks likely...
Comment 9 Adrian Schröter 2024-05-16 16:11:00 UTC 
the new key is there now in Build696.3
Comment 10 Michael Calmer 2024-05-17 12:51:56 UTC 
Sorry, it is not fixed.
https://download.opensuse.org/distribution/leap/15.6/repo/oss/repodata/

The repomd.xml* files are new deployed from yesterday May 16th.
But the key file is still wrong.
Comment 11 Michael Calmer 2024-05-23 11:01:48 UTC 
distribution/ is now fixed. 
The problem is still present for the "update" repositories.
But as there is no update released yet, it could just be that it get's fixed with the first release of an update.
Comment 12 Marcus Meissner 2024-06-10 08:04:39 UTC 
should be fixed now.