Bugzilla – Bug 1219256
rmt-cli mirror custom tumbleweed repo fails with gpg no public key error
Last modified: 2024-04-10 13:30:24 UTC
I use the repository mirroring tool (rmt) to maintain local copies of leap repositories (currently 15.4 and 15.5). I am trying to add the tumbleweed repositories to my local set but the rmt-server-mirror service fails with the following in the logs: Jan 26 10:06:40 rmt rmt-cli[1357]: WARN: GPG command: gpg --homedir /tmp/rmt-mirror-gpg20240126-1357-11gdkuz --no-default-keyring --keyring /tmp/rmt-mirror-gpg20240126-1357-11gdkuz/keyring --verify /tmp/d20240126-1357-oemuy5/repodata/repomd.xml.asc /tmp/d20240126-1357-oemuy5/repodata/repomd.xml 2>&1 Jan 26 10:06:40 rmt rmt-cli[1357]: WARN: GPG output: gpg: Signature made Wed Oct 11 10:51:21 2023 BST Jan 26 10:06:40 rmt rmt-cli[1357]: gpg: using RSA key 35A2F86E29B700A4 Jan 26 10:06:40 rmt rmt-cli[1357]: gpg: Can't check signature: No public key Jan 26 10:06:40 rmt rmt-cli[1357]: WARN: The following errors occurred while mirroring: Jan 26 10:06:40 rmt rmt-cli[1357]: WARN: Repository 'tw_update' (tw_update): Error while mirroring metadata: GPG signature verification failed. Jan 26 10:06:40 rmt rmt-cli[1357]: WARN: Mirroring completed with errors. The relevant lines from rmt-cli repos custom list are: | tw_non-oss | tw_non-oss | http://download.opensuse.org/tumbleweed/repo/non-oss/ | Not Mandatory | Mirror | 2024-01-26 10:06:39 UTC | | tw_oss | tw_oss | http://download.opensuse.org/tumbleweed/repo/oss/ | Not Mandatory | Mirror | 2024-01-26 10:06:36 UTC | | tw_update | tw_update | http://download.opensuse.org/update/tumbleweed/ | Not Mandatory | Mirror | | I have tried importing the public keys but, as the log message says, the gpg check is made using an ephemeral keyring and no others. It appears that the mirror service succeeds obtaining the leap public key but fails to obtain the tumbleweed public key.
Hi Graham, we got the bug report and looking into the topic. Since we currently in middle of revamping the mirror implementation, I add tumbleweed update as test to our list, to make sure it is working correctly. We ping you here, when this is done! cheers, Felix
Hi Graham, The issue seems to be with the gpg key of the repository. One can reproduce the issue outside of rmt as follows > mkdir /tmp/test_tw_gpg > export tmpdir=/tmp/test_tw_gpg > cd $tmpdir && wget https://download.opensuse.org/update/tumbleweed/repodata/repomd.{xml,xml.asc,xml.key} > ls /tmp/test_tw_gpg > gpg --homedir $tmpdir --no-default-keyring --keyring $tmpdir/keyring --import $tmpdir/repomd.xml.key 2>&1 > gpg --homedir $tmpdir --no-default-keyring --keyring $tmpdir/keyring --verify $tmpdir/repomd.xml.asc $tmpdir/repomd.xml 2>&1 Please reach out to the repository publishers about this issue.
Hi Graham, We are still waiting for a reply from your side. If you don't mind, we will close this bug report because for now it looks like it's not a bug from our side. If that's not the case, feel free to re-open this and add a comment with further instructions on how to reproduce this issue. Thanks!
Reopenning. Dominique is aware, but seems like this will have to be fixed by Adrian Schroeter.
>3908048b3b68231b68572c90fe0d49d4d278901468a8f3580ee0861695e1a98b download.opensuse.org-non-oss/repodata/repomd.xml.key >3908048b3b68231b68572c90fe0d49d4d278901468a8f3580ee0861695e1a98b download.opensuse.org-oss/repodata/repomd.xml.key >d9bcde281be1c8d0e1f8e1b62e01d989fb820cc3de9f0b0a9dc1a83a8d8e6c4d download.opensuse.org-tumbleweed/repodata/repomd.xml.key >3908048b3b68231b68572c90fe0d49d4d278901468a8f3580ee0861695e1a98b openh264/repodata/repomd.xml.key >3908048b3b68231b68572c90fe0d49d4d278901468a8f3580ee0861695e1a98b repo-debug/repodata/repomd.xml.key >3908048b3b68231b68572c90fe0d49d4d278901468a8f3580ee0861695e1a98b repo-source/repodata/repomd.xml.key From the default repos, the openSUSE:Factory:Update (download.opensuse.org-tumbleweed, name is a bit misleading) is the only one I found with the wrong key (but repomd is signed with the correct one afaict)
@AdrianL: I think the signing is properly redirected here, but the publishing is apparently not going via the hook
=> fixed > gpg --homedir $tmpdir --no-default-keyring --keyring $tmpdir/keyring --import $tmpdir/repomd.xml.key 2>&1 gpg: WARNING: unsafe permissions on homedir '/tmp/test_tw_gpg' gpg: keybox '/tmp/test_tw_gpg/keyring' created gpg: /tmp/test_tw_gpg/trustdb.gpg: trustdb created gpg: key 35A2F86E29B700A4: public key "openSUSE Project Signing Key <opensuse@opensuse.org>" imported gpg: Total number processed: 1 gpg: imported: 1 > gpg --homedir $tmpdir --no-default-keyring --keyring $tmpdir/keyring --verify $tmpdir/repomd.xml.asc $tmpdir/repomd.xml 2>&1 gpg: WARNING: unsafe permissions on homedir '/tmp/test_tw_gpg' gpg: Signature made Mi 10 Apr 2024 15:28:04 CEST gpg: using RSA key 35A2F86E29B700A4 gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: AD48 5664 E901 B867 051A B15F 35A2 F86E 29B7 00A4