Bugzilla – Bug 1217056
[Build 34.1] Installation with system role Common Criteria broken by Unknown GnuPG key
Last modified: 2023-11-28 05:45:14 UTC
Created attachment 870715 [details] Logs cc installation openQA test in scenario sle-15-SP6-Online-x86_64-create_hdd_textmode_common_criteria@64bit fails in [start_install](https://openqa.suse.de/tests/12774019/modules/start_install/steps/4) which now is beta candidate. Common Criteria installation is broken apparently since one month ago, see last pass https://openqa.suse.de/tests/12409525. See attached installation logs and please forward to component security or zypper if you can discard and installer problem. Some extract from the logs: ``` 2023-11-13 01:37:09 <3> install(3813) [zypp::gpg] KeyManager.cc(readSignaturesFprsOptVerify):213 Unable to read signature fingerprints 2023-11-13 01:37:09 <1> install(3813) [zypp::KeyRing] KeyRing.cc(_verifyFileSignatureWorkflow):678 File [/var/adm/mount/AP_0xp0YDEu/CHECKSUMS] ( CHECKSUMS ) signed with unknown key [] 2023-11-13 01:37:09 <3> install(3813) [Pkg] Source_Misc.cc(logFindRepository):68 Cannot find source with ID: -1 2023-11-13 01:37:09 <1> install(3813) [Ruby] modules/SignatureCheckDialogs.rb(ItemSignedWithUnknownSignature):475 Ops.get called on nil. 2023-11-13 01:37:09 <0> install(3813) [Ruby] binary/Yast.cc(ycp_module_call_ycp_function):351 Dynamic Proxy: [UI::OpenDialog] with [6] params 2023-11-13 01:37:09 <0> install(3813) [Ruby] binary/Yast.cc(ycp_module_call_ycp_function):360 Namespace created from UI 2023-11-13 01:37:09 <0> install(3813) [ui] YUINamespace.cc(createFunctionCall):1045 overloaded OpenDialog, 2@12 2023-11-13 01:37:09 <0> install(3813) [Ruby] binary/Yast.cc(ycp_module_call_ycp_function):395 Call OpenDialog 2023-11-13 01:37:09 <0> install(3813) [Ruby] binary/Yast.cc(ycp_module_call_ycp_function):401 Append parameter `opt (`decorated) 2023-11-13 01:37:09 <0> install(3813) [Ruby] binary/Yast.cc(ycp_module_call_ycp_function):401 Append parameter `VBox (`Heading ("Unknown GnuPG Key"), `MarginBox (0.5, 0.5, `Label ("The file CHECKSUMS\nis digitally signed with the following unknown GnuPG key: \nID: .\n\nThis means that a trust relationship to the creator of the file\ncannot be established. Using the file may put the integrity\nof your system at risk.\n\nUse it anyway?")), `Left (`MarginBox (0, 1.2, `CheckBox (`id (`dont_show_again), "Do Not Show This Message &Again", false))), `ButtonBox (`PushButton (`id (`yes), `opt (`okButton, `key_F10), "&Yes"), `PushButton (`id (`no), `opt (`default, `cancelButton, `key_F9), "&No"))) ```
In aarch64 fails in similar fashion: https://openqa.suse.de/tests/12773328#step/start_install/4 but in s390x points to apparmor: https://openqa.suse.de/tests/12773399#step/await_install/81
Why would this be a problem of the installer? We do not sign those repos, we are only telling the user if the signing key does not match the content.
I suspected that, thanks for the checking, let's move component to Security then.
*** Bug 1216809 has been marked as a duplicate of this bug. ***
According to Marcus Meissner, it might be the same issue than https://bugzilla.suse.com/show_bug.cgi?id=1217058, but not 100 % clear atm.
fixed if I read openqa correctly.
Verified fixed: https://openqa.suse.de/tests/12894634