Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-29844

SLES12 MariaDB repo now using unknown signing key

    XMLWordPrintable

Details

    Description

      It looks like sometime within the last 24 hours, the SLES12 MariaDB repo at https://downloads.mariadb.com/MariaDB/mariadb-10.5/yum/sles/12/x86_64 changed signing keys, but no new key appears to have been published anywhere.

      We have SMT repo servers which mirror this repository, and after the latest mirroring at ~1:20AM UTC on 10/21/2022, the contents of the repo appear to have changed signing keys.

      All attempts contact any of our SMT servers (e.g. just running zypper refresh) now report the following:

      Retrieving repository 'mariadb_repository' metadata [.
      Warning: File 'repomd.xml' from repository 'mariadb_repository' is signed with an unknown key 'F1656F24C74CD1D8'.

      Note: Signing data enables the recipient to verify that no modifications occurred after the data
      were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
      and in extreme cases even to a system compromise.

      Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
      whole repo.

      Warning: We can't verify that no one meddled with this file, so it might not be trustworthy
      anymore! You should not continue unless you know it's safe.

      File 'repomd.xml' from repository 'mariadb_repository' is signed with an unknown key 'F1656F24C74CD1D8'. Continue? [yes/no] (no): Cannot read input: bad stream or EOF.
      If you run zypper without a terminal, use '--non-interactive' global
      option to make zypper use default answers to prompts.
      error]
      Repository 'mariadb_repository' is invalid.
      [...] Valid metadata not found at specified URL
      Please check if the URIs defined for this repository are pointing to a valid repository.
      Skipping repository 'mariadb_repository' because of the above error.

      This problem is not specific to a single SMT server. All our SMT servers which mirrored overnight manifest this same problem.

      I've checked the GPG keys posted at the following locations:

      These are all the same key we already have, and not whatever key is currently in use by the MariaDB repository.

      Was this signing key switch intentional? If so, the new key needs to be published. If not, the contents of the repo are currently signed incorrectly.

      Attachments

        Activity

          People

            dbart Daniel Bartholomew
            davshapi David Shapiro
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.