Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
None
-
None
Description
It looks like sometime within the last 24 hours, the SLES12 MariaDB repo at https://downloads.mariadb.com/MariaDB/mariadb-10.5/yum/sles/12/x86_64 changed signing keys, but no new key appears to have been published anywhere.
We have SMT repo servers which mirror this repository, and after the latest mirroring at ~1:20AM UTC on 10/21/2022, the contents of the repo appear to have changed signing keys.
All attempts contact any of our SMT servers (e.g. just running zypper refresh) now report the following:
—
Retrieving repository 'mariadb_repository' metadata [.
Warning: File 'repomd.xml' from repository 'mariadb_repository' is signed with an unknown key 'F1656F24C74CD1D8'.
Note: Signing data enables the recipient to verify that no modifications occurred after the data
were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
and in extreme cases even to a system compromise.
Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
whole repo.
Warning: We can't verify that no one meddled with this file, so it might not be trustworthy
anymore! You should not continue unless you know it's safe.
File 'repomd.xml' from repository 'mariadb_repository' is signed with an unknown key 'F1656F24C74CD1D8'. Continue? [yes/no] (no): Cannot read input: bad stream or EOF.
If you run zypper without a terminal, use '--non-interactive' global
option to make zypper use default answers to prompts.
error]
Repository 'mariadb_repository' is invalid.
[...] Valid metadata not found at specified URL
Please check if the URIs defined for this repository are pointing to a valid repository.
Skipping repository 'mariadb_repository' because of the above error.
—
This problem is not specific to a single SMT server. All our SMT servers which mirrored overnight manifest this same problem.
I've checked the GPG keys posted at the following locations:
- https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY
- https://downloads.mariadb.com/MariaDB/MariaDB-Server-GPG-KEY
- https://mirror.mariadb.org/yum/RPM-GPG-KEY-MariaDB
These are all the same key we already have, and not whatever key is currently in use by the MariaDB repository.
Was this signing key switch intentional? If so, the new key needs to be published. If not, the contents of the repo are currently signed incorrectly.