1056923 – zypper/rpm cannot verify chrome repo with subkeys

Bug 1056923 - zypper/rpm cannot verify chrome repo with subkeys

Summary: zypper/rpm cannot verify chrome repo with subkeys

Status:	RESOLVED DUPLICATE of bug 1008325

Alias:	None

Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	libzypp (show other bugs)
Version:	Current
Hardware:	Other openSUSE 13.2

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	E-mail List
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2017-09-01 20:01 UTC by Bernhard Wiedemann
Modified:	2017-09-04 07:43 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Development
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bernhard Wiedemann 2017-09-01 20:01:33 UTC

Steps To Reproduce:
zypper ar http://dl.google.com/linux/chrome/rpm/stable/x86_64 google-chrome
zypper ref
File 'repomd.xml' from repository 'google-chrome' is signed with an unknown key '1397BC53640DB551'. Continue? [yes/no] (no): 

gpg --recv-key 0x1397BC53640DB551
gpg --export -a 0x1397BC53640DB551 > linux_signing_key.pub
rpmkeys --import linux_signing_key.pub
# rpm -qa|grep pubkey
gpg-pubkey-7fac5991-4615767f
gpg-pubkey-3dbdc284-53674dd4
gpg-pubkey-c862b42c-57a2e70b
gpg-pubkey-d38b4796-570c8cd3
gpg-pubkey-1abd1afb-54176598
gpg-pubkey-307e3d54-4be01a65

so rpm only knows about the main pubkey but not about the subkeys
and thus zypper ref still cannot verify the repo

# gpg --edit-key 0x1397BC53640DB551
gpg (GnuPG) 2.1.22; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa4096/7721F63BD38B4796
     created: 2016-04-12  expires: never       usage: SC  
     trust: unknown       validity: unknown
sub  rsa4096/1397BC53640DB551
     created: 2016-04-12  expires: 2019-04-12  usage: S   
sub  rsa4096/6494C6D6997C215E
     created: 2017-01-24  expires: 2020-01-24  usage: S  

was also reported at
https://forums.opensuse.org/showthread.php/526158-sudden-google-chrome-is-signed-with-an-unknown-key-problem
and I guess it will re-occur every year when google rotates its signing key

Comment 1 Bernhard Wiedemann 2017-09-01 20:08:00 UTC

Also, key and signature are correct:
wget http://dl.google.com/linux/chrome/rpm/stable/x86_64/repodata\
/repomd.xml{,.asc}
gpg -d repomd.xml.asc 
gpg: assuming signed data in 'repomd.xml'
gpg: Signature made 2017-08-30T17:36:13 UTC
gpg:                using RSA key 1397BC53640DB551
gpg: Good signature from "Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796
     Subkey fingerprint: 3B06 8FB4 789A BE4A EFA3  BB49 1397 BC53 640D B551

Comment 2 Michael Andres 2017-09-04 07:43:06 UTC

.

*** This bug has been marked as a duplicate of bug 1008325 ***