search

openSUSE / zypper

World's most powerful command line package manager
http://en.opensuse.org/Portal:Zypper
Other
392 stars 107 forks source link

Pathname gets repeated for key specified in gpgkey option #546

Closed Fei1Yang closed 2 months ago

Fei1Yang commented 2 months ago

For repository without repodata/repomd.xml.key file and specify GPG key path using gpgkey option, the pathname of the GPG key is repeated and therefore can't be imported automatically. for example:

# zypper addrepo https://sing-box.app/sing-box.repo
Adding repository 'sing-box' ...........................................................................[done]
Repository 'sing-box' successfully added

URI         : https://rpm.sagernet.org/
Enabled     : Yes
GPG Check   : Yes
Autorefresh : No
Priority    : 99 (default priority)

Repository priorities in effect:                                              (See 'zypper lr -P' for details)
      80 (raised priority)  :  1 repository
      90 (raised priority)  :  1 repository
      99 (default priority) :  9 repositories
# zypper --gpg-auto-import-keys refresh sing-box
Looking for gpg key ID 2A2B2F0C in cache /var/cache/zypp/pubkeys.
Looking for gpg key ID 2A2B2F0C in repository sing-box.
  gpgkey=https://sing-box.app/gpg.key
Warning: File 'repomd.xml' from repository 'sing-box' is signed with an unknown key '6D9152172A2B2F0C'.

    Note: Signing data enables the recipient to verify that no modifications occurred after the data
    were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
    and in extreme cases even to a system compromise.

    Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
    whole repo.

    Warning: We can't verify that no one meddled with this file, so it might not be trustworthy
    anymore! You should not continue unless you know it's safe.

File 'repomd.xml' from repository 'sing-box' is signed with an unknown key '6D9152172A2B2F0C'.
Continue? [yes/no] (no):

Related log entries in /var/log/zypper.log, mitmproxy also show the same result:

[zypp::media] MediaHandler.cc(attach):654 Attached: https://sing-box.app/gpg.key attached; localRoot "/tmp/AP_0x8amWmO"
[zypp::media++] MediaManager.cc(checkDesired):155 checkDesired(3): desired (report by zypp::media::NoVerifier)
[zypp::media++] MediaManager.cc(checkDesired):157 checkDesired(3): desired (cached)
[zypp::media++] MediaMultiCurl.cc(doGetFileCopy):1508 dest: /tmp/AP_0x8amWmO/gpg.key
[zypp::media++] MediaMultiCurl.cc(doGetFileCopy):1509 temp: /tmp/AP_0x8amWmO/gpg.key.new.zypp.f7PiAa
[zypp::media++] MediaCurl.cc(doGetFileCopyFile):1197 /gpg.key
[zypp::media++] MediaCurl.cc(doGetFileCopyFile):1207 URL: https://sing-box.app/gpg.key/gpg.key
[zypp-curl++] curlhelper.cc(log_redirects_curl):159 redirecting to location: https://sing-box.sagernet.org
bzeller commented 2 months ago

What libzypp version do you have installed? I can't reproduce with current libzypp: 17.32.5

bzeller commented 2 months ago

Nevermind, we found it, next release will have the fix